b'U.S. Department of the Interior\nOffice of Inspector General\n\n\n\n\n            AUDIT REPORT\n\n\n     GENERAL CONTROLS OVER THE\n  AUTOMATED INFORMATION SYSTEM,\n   ROYALTY MANAGEMENT PROGRAM,\n    MINERALS MANAGEMENT SERVICE\n\n              REPORT NO. 98-I-336\n                 s MARCH 1998\n\x0c              United States Department of the Interior\n                             OFFICE OF INSPECTOR GENERAL\n                                     Washington. D.C. 20240\n\n\n\n\nMEMORANDUM\n\nTO:                        The Secretary\n\nFROM:                      Robert J. Williams -rg? &&y          cc/Lc-\n                           Acting Inspector General    \xe2\x80\x99\n\nSUBJECT SUMMARY:           Final Audit Report for Your Information - \xe2\x80\x9cGeneral Controls\n                           Over the Automated Information System, Royalty\n                           Management Program, Minerals Management Service\xe2\x80\x9d (No.\n                           98-I-336)\n\nAttached for your information is a copy of the subject final audit report. The objective of our\naudit was to evaluate the adequacy of the general controls over the Minerals Management\nService Royalty Management Program\xe2\x80\x99s automated information system in the areas of\nsecurity program development, physical and logical access, so&are development and\nchange management, separation of duties, system software, and service continuity.\n\nWe found that the Royalty Management Program had established general controls over its\nautomated information system; however, except for the controls over physical access to the\nautomated information system, we concluded that the general controls were not adequate in\nthe six major areas reviewed. Specifically, the Program did not identify and address all risks\naffecting proprietary and financial data in the automated information system, have adequate\nsecurity-related personnel policies and procedures, and have security awareness statements\non tile for all employees who used the automated information system; have adequate logical\naccess controls in the areas of resource classification, default settings, commercial off-the-\nshelf software access controls, access levels granted to users, and numbers of allowed log-in\nattempts; have controls to ensure that client/server application software changes were\nauthorized, approved, and tested before being moved into production; separate the duties of\nthe client/server application programmers from the duties of the users and separate the duties\nof client/server security administrators from reviewers; use mainframe security software that\nwas supported by the vendor and use available mainframe computer system audit tools to\nensure integrity over system processing and data; and include local area networks and\npersonal computers which maintain proprietary and financial data in the Program\xe2\x80\x99s disaster\nrecovery plans. We made 24 recommendations to improve the general controls over the\nProgram\xe2\x80\x99s automated information system.\n\nBased on the response to the draft report from the Director, Minerals Management Service,\nwe deleted one recommendation and revised one recommendation. Also, baaed on the\n\x0cresponse, we considered 1 recommendation    resolved  and implemented             and 12\nrecommendations   unresolved, and we requested additional information             for 10\nrecommendations.\n\nIf you have any questions concerning this matter, please contact me at (202) 208-5745.\n\n\nAttachment\n\x0cI                                                                                      A-l-N-MMS-00 l-97\n\n\n                    United States Department                           of the Interior\n                                    OFFICE OF INSPECTOR GENERAL\n                                              Washington, D.C. 20240\n\n\n\n                                                                       MAR23 I998\n\n\n                                          AUDIT REPORT\n\n\n    Memorandum\n\n    To:        Director, Minerals Management Service\n\n    From:      Robert J. Williams                        . (!/d&d\n               Acting Inspector\n\n    Subject: Audit Report on General Controls Over the Automated Information System,\n             Royalty Management Program, Minerals Management Service (No. 98-I-336)\n\n                                         INTRODUCTION\n\n    This report presents the results of our audit of the general controls over the automated\n    information system at the Minerals Management Service\xe2\x80\x99s Royalty Management Program.\n    We performed this audit to support our audit of the Service\xe2\x80\x99s financial statements, which is\n    required by the Chief Financial Officers Act. The objective of this audit was to evaluate the\n    adequacy of the general controls over the Program\xe2\x80\x99s automated information system in the\n    areas of security program development, physical and logical access, software development\n    and change management, separation of duties, system software, and service continuity.\xe2\x80\x99\n\n    BACKGROUND\n\n    The Minerals Management Service\xe2\x80\x99s Royalty Management Program is responsible for\n    collecting and disbursing revenues of about $4 billion annually that are generated from\n    leasing Federal and Indian lands and for collecting royalties for minerals extracted from\n    leased lands. To aid in accomplishing its -mission objectives and meeting its financial\n    reporting requirements, the Program uses an automated information system that includes a\n    mainframe computer, a minicomputer, and personal computers and servers which support\n    local area networks for each Program division, a wide area network, and an enterprisewide\n\n\n\n\n    \xe2\x80\x98Logical access refers to controls that provide a technicalmeans of controlling what information users can\n    utilize, the programsthey can run, and the modificationsthey can make. (An Introductionto Co-\n    Securitv: The NIST Handbook, Special Publication 800- 12, National Institute of Standards and Technology.)\n\x0cnetwork.\xe2\x80\x99 For collecting rents and royalties, the Program primarily uses the mainframe\ncomputer. For disbursing rents and royalties, verifying collections, and reporting financial\ninformation, the Program uses all of the components of its automated information system.\n\nThe Program\xe2\x80\x99s mainframe computer, minicomputer, and some of the personal computers and\nservers are located in three buildings at the Denver Federal Center, in Denver, Colorado. The\nProgram also has personal computers and servers located in leased buildings in Golden,\nColorado, and at Program division offices in Dallas and Houston, Texas.\n\nSince 1992, Program management has been planning, developing, and moving to a\n\xe2\x80\x9cclient/server\xe2\x80\x9d processing enviromnent.3        In a client/server environment, data are more\ndifficult to protect. Specifically, the data are stored and processed in multiple locations, and\nthe data must travel through telecommunication systems between the clients and the servers\nwhere the data are inherently susceptible to being released to unauthorized outside parties,\nlost, or damaged. Additionally, the, Program\xe2\x80\x99s data are \xe2\x80\x9cproprietary\xe2\x80\x9d; therefore, if access to\nthe data is denied or if the data are inappropriately released, lost, or damaged, the Program,\nsuppliers of the data, or others having an interest in the data could be adversely impacted.\n\nThe Program\xe2\x80\x99s automated information system was operated and maintained by the contractor\nAmerican Management Systems Operations Corporation. The contract with the Corporation\nrequires the Corporation to: (1) maintain system software; (2) maintain and develop\napplication software; and (3) maintain other software, such as teleprocessing and general\nutilities.\n\nOverall system security policies for the Program are established by the Installation\nAutomated Information System Security Officer, within the Program\xe2\x80\x99s Systems Management\nDivision. System security administration for the mainframe computer, the minicomputer,\nthe wide area network, and the enterprisewide network is the responsibility of the\nCorporation.     Security administration for the Program\xe2\x80\x99s local area networks is the\nresponsibility of each of the Program\xe2\x80\x99s seven divisions, which consist of the Accounting and\nReports Division, the Royalty Valuation Division, the Systems Management Division, the\nState and Indian Compliance Division, and the Compliance Divisions at Dallas and Houston\nand Lakewood, Colorado.\n\n\n*Serversare computersthat provide services to client computers on a network. Local area networks are\ncommunication networks located in a small geographical area which connect many computerized input/output\ndevices, generally server computers, client computers, and peripheral hardware such as printers, throngh low-\ncost communication mediums. These networks typically do not use common carrier circuits, such as U.S. West,\nand their circuits do not cross public thoroughfares or property owned by others. Wide area networks span\nlarge geographical areas and typically use circuits provided by common carriers. Enterprisewide networks are\nnetworks that result when all the networks in a single organization are connected together. (Jerry Fitzgerald\nand Alan Dennis, Business Data Communications and Networking, 5th edition, John Wiley & Sons, Inc., 1996,\npps. 249,522,529,542,     and 549.)\n\n3A \xe2\x80\x9cclient/server\xe2\x80\x9d processing environment is a computerized architecture in which one or more \xe2\x80\x9ccomputers\ncalled servers manage shared resources and provide access to those shared resources as a service to their\nclients,\xe2\x80\x9d which are personal computers. (David Vaskevitch, Client /Server Strategies. a Survival Guide for\nCornorate ReenPineering, IDG Books Worldwide, Inc., San Mateo, California, 1993, page 96.)\n\n                                                      2\n\x0cSCOPE OF AUDIT\n\nTo accomplish our objective, we reviewed the general controls that were in place during\nJanuary through June 1997. Specifically, we reviewed the controls in six major areas:\nsecurity program development; logical and physical access; software deirelopment and\nchange management; separation of duties; system software; and service continuity. We\ninterviewed Program and contractor personnel, reviewed systems documentation, observed\nand became familiar with computer center operations and network components, analyzed\nsystem security, and evaluated service continuity procedures and testing. In addition, we\nreviewed procedures to maintain system and application software for the mainframe\ncomputer, the local area networks, the wide area network, and the enterprisewide network.\nBecause our review wan limited to evaluating the adequacy of general controls over the\nautomated information system, we did not evaluate the effectiveness of manual control\nprocedures that may have operated as compensating controls for the automated information\nsystem general controls. While our objective was to review the general controls of the\nautomated information system, the primary emphasis was on the servers that supported data\nprocessed and maintained on the local area, wide area, and enterprisewide networks.\n\nOur audit, which was conducted during December 1996 through August 1997 at the\nProgram\xe2\x80\x99s facilities in Denver and Golden, was made in accordance with the \xe2\x80\x9cGovernment\nAuditing Standards,\xe2\x80\x9d issued by the Comptroller General of the United States. Accordingly,\nwe included such tests of records and other auditing procedures that were considered\nnecessary under the circumstances.\n\nAs part of our audit, we evaluated the internal controls that could adversely affect the\nProgram\xe2\x80\x99s automated information system. The control weaknesses that we found are\nsummarized in the Results of Audit section and discussed in detail in Appendix 1 to this\nreport. If implemented, our recommendations should improve the internal controls in the\nareas reviewed, Because of inherent limitations in any system of internal controls, losses,\nnoncompliance, or misstatements may occur and not be detected. We also caution that\nprojecting our evaluations to future periods is subject to the risk that controls or the degree\nof compliance with the controls may diminish.\n\nPRIOR AUDIT COVERAGE\n\nDuring the past 5 years, the General Accounting Of&e has not issued any reports related\nto the objective and scope of this audit; However, in July 1997, the OffIce of Inspector\nGeneral issued the report \xe2\x80\x9cRoyalty Management Program\xe2\x80\x99s Automated Information Systems,\nMinerals Management Service\xe2\x80\x9d (No. 97-I- 1042), which identified weaknesses in mainfkme\napplication software development and change management. During our current audit, we\nnoted that Program management had agreed with the seven recommendations made in our\nprior audit report and that two of the seven recommendations had been implemented. One\nof the implemented recommendations and three of the recommendations that were resolved\nbut not implemented affected the change request process (change management), which is\ndiscussed in the scope of this audit. We further noted that implementation of the three\n\n\n                                              3\n\x0c    recommendations was delayed because of the priority of implementing the changes mandated\n    by the Federal Oil and Gas Royalty Simplification and Fairness Act of 1996.\n\n                                      RESULTS OF AUDIT\n    The Royalty Management Program had established general controls over its automated\n    information system; however, except for the controls over physical access to the automated\n    information system, we concluded that the general controls were not adequate in the six\n    major areas reviewed. Office of Management and Budget Circular A- 130, \xe2\x80\x9cManagement of\n    Federal Information Resources,\xe2\x80\x9d and National Institute of Standards and Technology\n    publications require Federal agencies to establish and implement computer security and\n    management and internal controls to improve the protection of sensitive information in the\n    computer systems of executive branch agencies.4 Additionally, the Congress enacted laws,\n    such as the Privacy Act of 1974 and the Computer Security Act of 1987, to improve the\n    security and privacy of sensitive information in computer systems by requiring executive\n    branch agencies to ensure that the level of computer security and controls over the sensitive\n    information is adequate. Further, the Department of the Interior and the Program have issued\n    policies and procedures to implement general controls to protect sensitive data in automated\n    information systems. The controls were not adequate because Program management had not\n    established necessary policies and procedures, had not assigned responsibilities for ensuring\n    that policies and procedures were developed and followed, and had not held officials\n    accountable for noncompliance with the established controls. The lack of adequate controls\n    increased the risk of (1) unauthorized access and modifications to and disclosure of Program\n    data, (2) theft or destruction of Program software and sensitive information, and (3) loss of\n    critical Program systems and functions in the event of a disaster or system failure.\n\n    Overall, we identified 13 weaknesses and made 23 recommendations for improving the\n    general controls over the Program\xe2\x80\x99s automated information system. A summary of the\n    weaknesses noted in the six major areas is provided in the following paragraphs, and specific\n    details of the weaknesses and our respective recommendations to correct these weaknesses\n    are in Appendix 1.\n\n    Security Program Development\n\n    We found weaknesses in the automated information system security program. Specifically,\n    Program management did not identify and address all risks affecting proprietary and financial\n.\n    data in the automated information system, did not have adequate sCc*urity-relatedpersonnel\n    policies and procedures, and did not have security awareness statements on file for all\n    employees who used the automated information system. As a result, there was an increased\n    risk that sensitive data may be impaired or compromised by individuals and that data may\n    be inadvertently disclosed or destroyed or erroneously modified. We made seven\n    recommendations to address these weaknesses.\n\n    4The Computer Security Act defines \xe2\x80\x9csensitive\xe2\x80\x9d data as \xe2\x80\x9cany information the loss, misuse, or unauthorized\n    access to or modification of which could adversely affect the national interest or the conduct of Federal\n    programs, or the privacy to which individuals are entitled under the Privacy Act.\xe2\x80\x9d\n\n                                                        4\n\x0cAccess Controls\n\nWe found weaknesses in logical access controls over the Program\xe2\x80\x99s automated information\nsystem. These weaknesses were in the areas of resource classification, default settings,\ncommercial off-the-shelf software access controls, access levels granted to users, and\nnumbers of allowed log-in attempts. As a result, there was an increased risk that sensitive\ndata maintained on the automated information system were vulnerable to unauthorized\naccess, manipulation, and disclosure. We made eight recommendations to address these\nweaknesses.\n\nSoftware Development          and Change Management\n\nWe found that the controls over changes to client/semer application software were not\nadequate.     Specifically, Program management did not have controls to ensure that\nclient/server application software changes were authorized, approved, and tested before being\nmoved into production.       As a result, there was an increased risk that the most critical\nclient/server application software changes were not made and that client/server applications\nwould not perform as intended. We made one recommendation to address this weakness.\n\nSeparation     of Duties\n\nWe found that Program management did not separate the duties of the client/server\napplication programmers from the duties of the users and did not separate the duties of\nclient/server security administrators from reviewers. As a result, there was an increased risk\nthat accidental or intentional actions by programmers could threaten the integrity of the\nProgram\xe2\x80\x99s data and disrupt system processing and that inappropriate actions by security\nadministrators would not be detected or detected timely. We made two recommendations\nto address these weaknesses.\n\nSystem Software Controls\n\nWe found that the controls over system software were not adequate in detecting and\ndetermining inappropriate use. Specifically, the security software in use for the mainframe\ncomputer was no longer supported by the vendor, and available mainframe computer system\naudit tools to ensure integrity over system processing and data were not used. As a result,\nthere was an increased risk that programs and data files would not be protected from\nunauthorized access and that inappropriate mainframe computer system initialization and\nprocessing would not be recorded and identified. Additionally, without periodic reviews of\nthe system audit trails, there was an increased risk that processing problems or unauthorized\nactivities may not be detected or detected timely and that the responsible individual or\nindividuals may not be held accountable for the inappropriate action. We made four\nrecommendations to address these weaknesses.\n\n\n\n\n                                              5\n\x0cService Continuity\n\nWe found that local area networks and personal computers used by the Program\xe2\x80\x99s divisions\nwhich maintain proprietary and financial data were not included in the Program\xe2\x80\x99s disaster\nrecovery plans. As a result, there was an increased risk that critical systems may not be\nrecovered in the event of a disaster or system failure. We made one recommendation to\naddress this weakness.\n\n.Minerals Management          Service Response and Office of Inspector General\nReply\n\nIn the January 2 1, 1998, response (Appendix 2) from the Director, Minerals Management\nService, to our draft report, the Service stated that of the report\xe2\x80\x99s 24 recommendations, it\n\xe2\x80\x9cagree[d]\xe2\x80\x9d with 11 recommendations, \xe2\x80\x9cpartially agree[d]\xe2\x80\x9d with 2 recommendations, and\n\xe2\x80\x9cdisagree[d]\xe2\x80\x9d with 11 recommendations.          Based on the response, we deleted one\nrecommendation (No. F.3) and revised one recommendation (No. 1.1) in the draft report.\nAlso based on the response, we consider 1 recommendation resolved and implemented and\n12 recommendations       unresolved, and we request additional information for 10\nrecommendations. The status of each recommendation is in Appendix 3, and the Service\xe2\x80\x99s\nresponses to the recommendations and our comments are presented within each finding.\n\nAdditional    Comments on Audit Report\n\nThe Service said that it \xe2\x80\x9cdisagree[d]\xe2\x80\x9d with the overall \xe2\x80\x9cimplicit conclusion\xe2\x80\x9d that the Royalty\nManagement Program\xe2\x80\x99s automated information system was not in compliance with Office\nof Management and Budget Circular A-130 and that it believes that it is in \xe2\x80\x9csubstantial\ncompliance with the spirit and intent\xe2\x80\x9d of the Circular. Further, the Service stated that the\naudit report \xe2\x80\x9cdoes not actually deal with the overall or general controls\xe2\x80\x9d because we did not\nreview redundant and compensating controls. In addition, the Service stated that \xe2\x80\x9crecurring\nmanagement control reviews have addressed such manual controls and generally found they\nwere working effectively or prompted corrective actions to resolve minor control\ndeficiencies.\xe2\x80\x9d Further, the Service stated that \xe2\x80\x9caudits performed under the Chief Financial\nOfficers Act of 1990 have covered these controls, and each report concluded that our\nfinancial information was reliable.\xe2\x80\x9d\n\nThe criteria we used included not only Office of Management and Budget Circular A-130\nbut also standards and guidelines referenced in the Circular from the Department of\nCommerce (National Institute of Standards and Technology), the General Services\nAdministration, and the Office of Personnel Management and policies and procedures of the\nDepartment and the Program. Since the controls cited in and referenced by Appendix III of\nCircular A-130 are \xe2\x80\x9ca minimum set of controls\xe2\x80\x9d to be included in an agency\xe2\x80\x99s automated\ninformation security program, we believe that any deviation from these minimum controls\nwould indicate that an agency\xe2\x80\x99s automated information system security program does not\nreduce risk to an acceptable level and ensure that an agency is in compliance with the\nCircular. However, since our review identified weaknesses in the general controls over the\n\n\n                                              6\n\x0c    automated information system in the areas of security program development, access controls,\n    software development and change management, separation of duties, system software\n    controls, and service continuity, we do not believe that the Service\xe2\x80\x99s \xe2\x80\x9csubstantial\n    compliance\xe2\x80\x9d with the minimum controls set forth in the Circular was adequate to address the\n    potential risks identified by our review.\n\n    While we stated that we did not evaluate the effectiveness of manual control procedures\n    which may have operated as compensating controls in the scope section of the report, the\n    audit staff did evaluate the general controls that were defined in the Program\xe2\x80\x99s policies and\n    procedures. Because redundant or compensating controls were not cited by the Program in\n    its policies and procedures as the primary controls used to ensure the integrity,\n    confidentiality, and availability of Program information, these controls were not evaluated.\n\n    During the audit, we reviewed an Automated Information Systems Review that the Service\n    performed in fiscal year 1996 which concentrated on the Program\xe2\x80\x99s change management\n    controls over applications in the mainframe environment. The Service\xe2\x80\x99s review identified\n    weaknesses concerning application testing and documentation that we also cited in the Prior\n    Audit section of this report. Further, we found similar weaknesses in software development\n    and change management         controls in the client/server environment (see Finding I in\n    Appendix 1.)\n\n    While we are not questioning that the financial statements were presented fairly, we found,\n    as a result of our evaluation, inadequacies in the Program\xe2\x80\x99s general controls over the\n    automated information system in the areas of security program development, access controls,\n    software development and change management, separation of duties, system software\n    controls, and service continuity. These weaknesses, identified with the general controls, will\n    result in our having to raise the overall level of risk of possible loss associated with the\n    internal control structure of the Royalty Management Program in future financial statement\n    audits.\n\n    Regarding system security, we agree that system security controls implemented should be\n    measured against costs and risks. However, the Program did not provide evidence that such\n    a measurement study was performed. Further, our findings identified breakdowns in existing\n    controls cited in the Program\xe2\x80\x99s policies and procedures. While no system is completely free\n    of errors, an adequate security program would provide a foundation for the Service to\n    determine what controls were operating effectively and the level of risk that the Service is\n.   mitigating with these controls.     .\n\n    We disagree that the Program is being held to \xe2\x80\x9cunattainable standards\xe2\x80\x9d because the standards\n    we used were those cited in Appendix III of Circular A- 130 as \xe2\x80\x9cthe minimum set of controls\xe2\x80\x9d\n    to be included in an agency\xe2\x80\x99s automated information security program. In addition, in our\n    evaluation of the Program\xe2\x80\x99s general controls as defined in its policies and procedures, we\n    found that the controls were not operating effectively.\n\n\n\n\n                                                  7\n\x0cWe disagree with the Service\xe2\x80\x99s statement that our findings did not demonstrate a \xe2\x80\x9csingle\nnegative impact\xe2\x80\x9d because the impact of these inadequacies taken as a whole indicates that\nthere is no assurance that the overall risk to the Program was at an acceptable level.\n\nIn accordance with the Departmental Manual (360 DM 5.3), we are requesting a written\nresponse to this report by April 17, 1998. The response should provide the information\nrequested in Appendix 3.\n\nThe legislation, as amended, creating the Office of Inspector General requires semiannual\nreporting to the Congress on all audit reports issued actions taken to implement audit\nrecommendations, and identification of each significant recommendation on which corrective\naction has not been taken.\n\nWe appreciate the assistance of Minerals Management Service personnel in the conduct of\nour audit.\n\x0c                                                                                APPENDIX 1\n                                                                                 Page 1 of 33\n\n DETAILS OF WEAKNESSES AND RECOMMENDATIONS\n\nSECURITY        PROGRAM\n\nA. Risk Assessments\n\nCondition:   Risk assessments of the Royalty Management Program\xe2\x80\x99s automated\n             information system did not identify and address all risks affecting proprietary\n             and financial data in the automated information system or correctly assess some\n             of the risk elements. For example, we found that Program management did\n             not:\n\n                   - Identify and address the impact that (1) converting to the year 2000\n             would have on application processing, (2) using system security software\n             which is no longer supported by the vendor could have on operations, and (3)\n             having royalty and financial information on local area network applications and\n             personal computer databases could have on operations.\n\n                   - Correctly assess the risk for the \xe2\x80\x9cGeopolitical\xe2\x80\x9d and \xe2\x80\x9cExternal\n             Directives\xe2\x80\x9d elements, which were assessed as low risk. Significant geopolitical\n             and external directives, such as the possible abolishment of the Program and\n             the enactment of the Federal Oil and Gas Royalty Simplification and Fairness\n             Act, have impacted the Program during the past 2 years. We believe that the\n             level of risk associated with these elements was such that it increased the\n             potential for lowering employee morale and thus increased the risk of sabotage\n             or breach of other physical security measures, as well as the possibility of data\n             errors and omissions that affect data and system integrity.\n\nCriteria:     Office of Management and Budget Circular A- 130, Appendix III, \xe2\x80\x9cSecurity of\n              Federal Automated Information Resources,\xe2\x80\x9d states that adequate security\n              \xe2\x80\x9cincludes assuring that systems and applications used by the agency operate\n              effectively and provide appropriate confidentiality, integrity, and availability,\n              through the use of cost-effective management,. personnel, operational, and\n             \xe2\x80\x99technical controls.\xe2\x80\x9d The Circular further states that, although formal risk\n              analyses need not be performed, \xe2\x80\x9cthe need to determine adequate security will\n              require that a risk-based approach be used.\xe2\x80\x9d According to the Circular, \xe2\x80\x9cThis\n              risk assessment approach should include a consideration of the major factors\n              in risk management:         the value of the system or application, threats,\n              vulnerabilities, and the effectiveness of current or proposed safeguards.\xe2\x80\x9d Also,\n              the National Institute of Standards and Technology\xe2\x80\x99s \xe2\x80\x9cAn Introduction to\n              Computer Security: The NIST Handbook\xe2\x80\x9d provides guidance on computer\n              security risk management. The NIST Handbook specifically addresses the\n\n\n                                              9\n\x0c                                                                                  APPENDIX 1\n                                                                                   Page2of33\n\nSECURITY        PROGRAM\n\n             selection of safeguards to mitigate risk and the acceptance of residual risk. In\n             addition, Program policy requires that local area network administrators\n             participate in the risk assessment process.\n\nCause:       Program management did not ensure that risk assessments were performed in\n             accordance with risk management guidelines. Specifically, the assessments did\n             not address (1) all risks associated with its automated information system, (2)\n             the selection of safeguards to mitigate risks, and (3) the acceptance of residual\n             risk. In addition, Program management did not effectively communicate the\n             responsibility of local area network administrators to participate in risk\n             assessments and had not adequately addressed that local area network\n             applications and personal computer databases should be included in the\n             Program\xe2\x80\x99s security program.\n\nEffect:      Without identifying all significant threats and vulnerabilities to the automated\n             information system, Program management was unable to determine the most\n             appropriate measures needed to protect against threats or reduce the\n             vulnerabilities. Further, without including the Program\xe2\x80\x99s local area network\n             applications and personal computer databases as part of the risk assessments,\n             there was little assurance that all threats and vulrrerabilities were identified and\n             considered when Program security policies and plans were developed.\n             Therefore, there was an increased risk that critical Program resources would. not\n             be adequately protected and that expensive controls would be implemented for\n             resources that did not require significant protection.\n\nRecommendations:\n\nWe recommend that the Director, Minerals Management Service:\n\n    1. Ensure that risk assessments are conducted in accordance with guidelines which\nrecommend that risk assessments support the acceptance of risk and the selection of\nappropriate controls. Specifically, the assessments should address significant risks affecting\nsystems, appropriately identify controls implemented to mitigate those risks, and formalize\nthe acceptance of the residual risk.\n\n    2. Formally assign and communicate responsibility to local area network administrators\nto participate in risk assessments and ensure compliance with the Program\xe2\x80\x99s security policy.\n\n    3. Determine the risks associated with local area network applications and personal\ncomputer databases which contain proprietary and financial data and, based on the results of\nthe risk assessments, establish appropriate security policies and procedures.\n\n                                              10\n\x0c                                                                                APPENDIX 1\n                                                                                 Page 3 of 33\n\nSECURITY        PROGRAM\n\n\nMinerals Management           Service Response and Office of Inspector General\nReply\n\nBased on the Service\xe2\x80\x99s response, we request that the Service provide additional information\nfor Recommendation 3 and that it reconsider its responses to Recommendations 1 and 2,\nwhich are unresolved (see Appendix 3).\n\nRecommendation 1. Nonconcurrence.\n\n    Service Response. The Service stated that it \xe2\x80\x9cplans to enhance and better document\xe2\x80\x9d its\nrisk assessment process. The Service further stated that it believed its \xe2\x80\x9cprevious assessments\nwere in accordance with guidelines\xe2\x80\x9d because of the \xe2\x80\x9crapidly changing computing and\ncommunication environment.\xe2\x80\x9d\n\n     Office of Inspector General Reply. We disagree that \xe2\x80\x9cprevious assessments were in\naccordance with guidelines.\xe2\x80\x9d Office of Management and Budget Circular A- 130, Appendix\nIII, and referenced standards and guidelines of the National Institute of Standards and\nTechnology state that \xe2\x80\x9crisk management is the process of assessing risk, taking steps to\nreduce risk to an acceptable level, and maintaining that level of risk.\xe2\x80\x9d Since the Service did\nnot address a number of significant conditions/issues that affect risks to the Program\xe2\x80\x99s\nautomated information system, identify the risks associated with these conditions, or identify\nthe controls in place to reduce the risks to an acceptable level, we believe that the Program\xe2\x80\x99s\nrisk assessment process was not in accordance with the guidelines. Additionally, Appendix\nIII of Circular A- 130 was revised so that Federal computer security programs could better\nrespond to the rapidly changing technological environment. Although the Service disagreed\nwith the recommendation, we believe that its action to enhance and document its risk\nassessment process is indicative of its intent to comply with the recommendation. However,\nwe request that the Service clarify its intent (see Appendix 3).\n\nRecommendation 2. Nonconcurrence.             .\n                         .                                                          . .\n    Service Response. The Service stated that policies \xe2\x80\x9cdefine the LAN [local area network]\nadministrators\xe2\x80\x99 role in contingency planning and security,\xe2\x80\x9d and it provided additional\ninformation to support its position.\n\n    Offke of Inspector General Reply. While the additional information did address the\nadministrators\xe2\x80\x99 role in contingency planning and security, it did not address the\nrecommendation. The \xe2\x80\x9cRMP Automated Information Systems Security Manual\xe2\x80\x9d states that\nadministrators should participate in the risk assessment process. During our audit, we found\n\n\n                                              11\n\x0c                                                                                 APPENDIX 1\n                                                                                  Page 4 of 33\n\nSECURITY        PROGRAM\n\nthat the administrators were not always aware of their responsibilities to identify risks and\nimplement controls that would mitigate risks and that the administrators\xe2\x80\x99 individual position\ndescriptions did not always address these responsibilities.\n\nAdditional    Comments        on Finding\n\nThe Service stated that it believes that we did not apply risk assessment criteria appropriately\nbecause \xe2\x80\x9cCircular A- 130 states \xe2\x80\x98the Appendix no longer requires the preparation offormal\nrisk analyses\xe2\x80\x99 and that risk assessments \xe2\x80\x98can be formal or informal, detailed or simpliJied,\nhigh or low level, quantitative (computationally based) or qualitative (based on descriptions\nor rankings), or a combination of these. No single method is best for all users and all\nenvironments. \xe2\x80\x9c\xe2\x80\x99\n\nWe agree that formal risk analyses are not required and that risk assessments can be formal\nor informal. However, we found that the Program\xe2\x80\x99s analyses were not based on risk-based\nmanagement as described by Appendix III of Circular A- 130 and referenced standards and\nguidelines of other Federal executive branch agencies and the Departmental Manual (375\nDM 19). According to the NIST Handbook, risk-based management \xe2\x80\x9cis the process of\nassessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level\nof risk,\xe2\x80\x9d In its response, the Service provided additional information related to each of the\nexamples in this finding. However, the additional information provided did not indicate that\nthe Program used risk-based management in developing its controls.\n\n\n\n\n                                              12\n\x0c                                                                             APPENDIX 1\n                                                                              Page 5 of 33\n\nSECURITY       PROGRAM\n\nB. Security-Related      Personnel Policies and Procedures\n\nCondition:   The Program\xe2\x80\x99s security-related personnel policies and procedures were not\n             adequate to ensure system integrity. Specifically, we found that:\n\n                    - Contractor employees received the same type of background check and\n             security clearance regardless of their duties and the risk associated with the\n             computer-related work they performed. Thus, contractor employees, such as\n             system programmers and computer operators, who could bypass technical and\n             operational controls, received the same security clearance as administrative\n             assistants.\n\n                    - Computer-related work was not technically reviewed by contractor or\n             Program personnel whose position sensitivity was greater than that of the\n             position sensitivity of individuals performing the work.\n\n                    - Contractor employees did not always submit requests for background\n             checks for security clearances. Further, the requests that were submitted for\n             background checks were not submitted within the time frames specified in the\n             contract. An average of 175 calendar days elapsed, instead of the 2 weeks\n             stipulated in the contract, between the dates the employees were hired and the\n             dates the requests were received by the Minerals Management Service\xe2\x80\x99s\n             Security Officer in Personnel for forwarding to the Office of Personnel\n             Management. The Office of Personnel Management performed background\n             checks for the same employees in an average of 84 days, and the Minerals\n             Management Service approved the security clearances in an average of 22 days.\n             Thus, most of the delay in the security clearance process was attributable to\n             contractor and Program personnel.\n\n                   - Systems Management Division employees did not have documentation\n             to support that appropriate background checks for security clearances and\n             required periodic followup background checks had been performed.                 .\n\n\nCriteria:    The Departmental Manual (441 DM) specifies that position sensitivity should\n             be based upon risk factors such as degree of public trust, fiduciary\n             responsibilities, importance to program, program authority level, and\n             supervision received. In addition, the Manual requires consideration of\n             automated data processing (ADP) factors, such as the level of responsibility\n             and technical review of work, for incumbents who are responsible for planning,\n             directing, and implementing        computer security; planning, directing,\n             implementing, operating, and maintaining computer systems; and accessing or\n\n                                            13\n\x0c                                                                                  APPENDIX 1\n                                                                                   Page 6 of 33\n\n SECURITY         PROGRAM\n\n               processing automated information records systems that contain proprietary\n               data. Further, work is to be technically reviewed by individuals filling ADP\n               \xe2\x80\x9ccritical-sensitive\xe2\x80\x9d positions when individuals filling ADP \xe2\x80\x9cnoncritical-\n               sensitive\xe2\x80\x9d positions perform computer work such as directing, planning,\n               designing, operating, and maintaining a computer system to ensure system\n               integrity. In addition, the terms of the contract require that the \xe2\x80\x9cassistant\n               manager\xe2\x80\x9d positions\xe2\x80\x99 sensitivity level be ADP \xe2\x80\x9ccritical-sensitive,\xe2\x80\x9d that\n               background check requests be submitted to the Service within 2 weeks after\n               an employee\xe2\x80\x99s hire date, and that the employees be in probationary status until\n               the background checks are completed and the security clearances are approved.\n\n Cause:        The Systems Management Division stti and the contractor staff who were\n               responsible for technical reviews of the work were not in positions classified\n               as ADP \xe2\x80\x9ccritical-sensitive.\xe2\x80\x9d Additionally, Program contracting personnel did\n               not ensure that contractor personnel (1) submitted requests for background\n               checks and (2) remained in probationary status and did not perform critical\n               computer work until background checks were completed and security\n               clearances were approved. Further, personnel or security files did not reflect\n               that appropriate background checks or that required periodic followup\n               background checks were performed.\n\n Effect:       As a result, there was an increased risk that employees would perform critical\n               automated information system operations and maintenance work without\n               appropriate oversight or adequate assurance that their backgrounds would\n               warrant such trust.\n\n Recommendations:\n\n We recommend that the Director, Minerals Management Service:\n\n       1. Evaluate Systems Management Division and contractor ADP positions to determine\n. position sensitivity in relation to risk and ADP factors. Also, assurance should be provided      ,\n  that automated information system work is technically reviewed by persons whose position\n  sensitivity levels are greater than the position sensitivity levels of the employees who are\n  performing the work.\n\n     2. Establish controls to ensure that the contractor is fulfilling its contractual obligation\n of submitting requests for background checks within the specified time frame and that\n contractor employees who are in probationary status and awaiting security clearances are not\n performing critical ADP work.\n\n\n\n                                                14\n\x0c                                                                               APPENDIX 1\n                                                                                Page 7 of 33\n\nSECURITY        PROGRAM\n\n    3. Establish controls to ensure that personnel or security files accurately reflect that\nbackground checks and periodic followup background checks are performed as required.\n\nMinerals Management           Service Response and Office of Inspector General\nReply\n\nBased on the Service\xe2\x80\x99s response, we request that the Service provide additional information\nfor Recommendations 1 and 2 and that it reconsider its response to Recommendation 3,\nwhich is unresolved (see Appendix 3).\n\nRecommendation 1. Partially concur.\n\n    Service Response. The Service stated it planned to \xe2\x80\x9creevaluate the position sensitivity\nlevel for the senior personnel in charge of the contractor activity to determine if those\nposition[s] should be classified at a higher level. In accordance with Departmental criteria,\nmost ADP [automated data processing] staff are designated noncritical sensitive. We doubt\nit was the OIG\xe2\x80\x99s [Office of Inspector General] intention to imply that all work must be\nreviewed by persons at a higher sensitivity level; however, this would be impossible in a\nmultiple level organization because there are only two sensitivity levels from which to\nchoose, i.e., \xe2\x80\x98noncritical-sensitive\xe2\x80\x99 and critical-sensitive.\xe2\x80\x9c\xe2\x80\x99\n\n    Office of Inspector General Reply. The Departmental Manual identifies four\nsensitivity levels. Further, although the Service indicated that some staff would have the\nnext higher security level of \xe2\x80\x9ccritical-sensitive\xe2\x80\x9d to perform technical reviews, we found that\nonly one ADP staff position was classified as \xe2\x80\x9ccritical-sensitive\xe2\x80\x9d and that the position was\nnot responsible for performing technical reviews. Although the Service only partially\nconcurred with the recommendation, we believe that the action to reevaluate position\nsensitivity levels is indicative of its intent to comply with the recommendation.\n\nRecommendation 2. Partially concur.\n\n    Service Response. The Service said that it agreed that controls were needed to ensure\nthat the contractor submitted requests for background checks in a timely manner. The\nService further stated that the contractor had been \xe2\x80\x9cdirected\xe2\x80\x9d and had \xe2\x80\x9cbegun to track and is\naccountable for the status of its submission of these requests.\xe2\x80\x9d The Service also said that it\nagreed that contractor employees awaiting clearances should be in \xe2\x80\x9cprobationary status\xe2\x80\x9d but\nthat having the employees not performing their assigned duties would be \xe2\x80\x9cunacceptably\ncostly.\xe2\x80\x9d According to the Service, it was \xe2\x80\x9cexploring alternatives\xe2\x80\x9d with the contractor such\nas having the contractor \xe2\x80\x9cperform a preliminary \xe2\x80\x98criminal and credit check\xe2\x80\x99 which is quick\nand inexpensive.\xe2\x80\x9d\n\n\n                                              15\n\x0c                                                                               APPENDIX 1\n                                                                                Page 8 of 33\n\nSECURITY        PROGRAM\n\n     Offke of Inspector General Reply. Preliminary investigations would be a suitable\nalternative to prohibiting contractor employees from performing their assigned duties before\nthe background clearances have been accomplished. Although the Service only partially\nconcurred with the recommendation, we believe that its action to evaluate alternatives such\nas preliminary investigations is indicative of its intent to comply with this recommendation.\n\nRecommendation 3. Nonconcurrence.\n\n     Service Response. The Service stated that controls are \xe2\x80\x9cin place to ensure that personnel\nor security files accurately reflect background checks.\xe2\x80\x9d The Service further stated that its\nOffice of Administration and Budget \xe2\x80\x9cmaintains documentation and a tracking system\xe2\x80\x9d on\nall security clearances and background checks of its employees and contractors. The Service\nstated that it disagreed with our statement that followup background checks are required,\nstating that it is in compliance with Department of the Interior guidance which states that\nfollowup checks \xe2\x80\x9care authorized only for national security positions and not for public trust\npositions.\xe2\x80\x9d\n\n    Office of Inspector General Reply. The Office of Administration and Budget\xe2\x80\x99s\ndocumentation and tracking system, while serving as part of the control, did not ensure that\npersonnel or security files accurately reflected that background checks were requested and\ndocumented in the \xe2\x80\x9cofficial personnel files\xe2\x80\x9d of the employees.            Additionally, the\nDepartmental guidance included by the Service was dated 1993; however, the Code of\nFederal Regulations (5 CFR l), dated 1997, states that followup background checks are\nrequired of employees in positions that are for national security and other positions\nconsidered to be \xe2\x80\x9chigh risk.\xe2\x80\x9d The Office\xe2\x80\x99s Security Officer verified that the Program has\nemployees in \xe2\x80\x9chigh risk\xe2\x80\x9d positions, such as the Chief, Systems Management Division; the\nInstallation Security Offrcer; the Contractor\xe2\x80\x99s Project Manager; and supervisors within the\nSystems Management Division. As such, employees in these positions would be required\nto have followup background checks.\n\n\n\n\n                                              16\n\x0c                                                                               APPENDIX 1\n                                                                                Page 9 of 33\n\nSECURITY       PROGRAM\n\nC. Security Awareness         Statements\n\nCondition:   We found that automated information system users did not have security\n             awareness statements on file acknowledging the employees\xe2\x80\x99 acceptance of their\n             responsibilities to safeguard the Program\xe2\x80\x99s proprietary data and assets.\n\nCriteria:    The Department\xe2\x80\x99s \xe2\x80\x9cAutomated Information Systems Security Handbook\xe2\x80\x9d\n             requires employees who use sensitive automated information system resources\n             to sign statements acknowledging their responsibilities for the security of the\n             resources. Additionally, the \xe2\x80\x9cRMP [Royalty Management Program] Automated\n             Information Systems Security Manual\xe2\x80\x9d requires that employees sign a Minerals\n             Management Service Security Statement, which acknowledges their\n             responsibilities to safeguard Program-sensitive data and assets, and requires the\n             Installation Automated Information System Security Officer (Installation\n             Security Officer) to verify that security awareness statements are signed by the\n             employees before their system access requests are approved.\n\nCause:       Program management did not ensure that its employees signed security\n             awareness statements. In addition, the Installation Security Officer did not\n             ensure that security statements were on file before the Installation Security\n             Officer approved access to the automated information system.\n\nEffect:      As a result, employees may not be aware of their responsibilities to safeguard\n             automated information system data and assets and thus inadvertently disclose\n             sensitive information.\n\nRecommendation:\n\nWe recommend that the Director, Minerals Management Service, establish controls to\nenforce Program policy which requires employees to sign security awareness statements\nbefore access to system resources is approved by the Installation Automated Information\nSystem Security Officer.\n\n\n\n\n                                             17\n\x0c                                                                               APPENDIX 1\n                                                                               Page 10 of 33\n\nSECURITY PROGRAM\n\nMinerals Management           Service Response and Offke of hispector               General\nReply\n\nBased on the Service\xe2\x80\x99s response, we request that the Service reconsider its response to the\nrecommendation, which is unresolved (see Appendix 3).\n\nThe Service stated that while its own test sample confirmed that users have appropriate\naccess to the Program\xe2\x80\x99s systems, it \xe2\x80\x9cconcur[s] that [its] filing system for access approvals\nneeded improvement.\xe2\x80\x9d The Service further stated that all statements are \xe2\x80\x9cnow consistently\nfiled and reconciled by the ADP security officer.\xe2\x80\x9d\n\nThe Service agreed with the recommendation and said that it was implemented. However,\nwhile the security awareness statements referred to in the finding provide evidence that users\naccepted their responsibility to safeguard the Program\xe2\x80\x99s proprietary data and assets, these\nstatements do not support the appropriateness of access to Program systems. Without\nfamiliarity with the methodology employed in the Service\xe2\x80\x99s test, such as sample selection\nand test performance, we must rely on the tests performed using statistical sampling software\nand generally accepted Government auditing standards followed by the audit staff. Further,\nthe Service stated, in its response to Recommendation D.2, that \xe2\x80\x9call MMS [Minerals\nManagement Service] employees are granted access to view royalty, production, and\nreference data.\xe2\x80\x9d Accordingly, if the Service\xe2\x80\x99s tests did not include all Service employees,\nthere is no assurance that all statements have been filed and reconciled. Therefore, we\nconsider this recommendation unresolved and request that the Service reconsider its response\nto the recommendation (see Appendix 3).\n\n\n\n\n                                             18\n\x0c                                                                                               APPENDIX 1\n                                                                                               Page 11 of 33\n\nACCESS CONTROLS\n\nD. Resource Classifications\n\nCondition:      The Program\xe2\x80\x99s computer resources (data files, application programs, and\n                computer-related facilities and equipment) were not classified appropriately to\n                determine the levels of access controls that should be implemented over the\n                resources.    For example, no \xe2\x80\x9cmajor application\xe2\x80\x9d\xe2\x80\x99 was identified in the\n                Program\xe2\x80\x99s annual security plan, even though the applications and data files\n                were \xe2\x80\x9cproprietary\xe2\x80\x9d and critical to the Program in accomplishing its mission and\n                reporting financial information. Further, access controls over sensitive data on\n                the servers used by the Program\xe2\x80\x99s divisions were not as stringent as the access\n                controls over sensitive data on the mainframe.\n\nCriteria:       Office of Management and Budget Circular A-130, Appendix III, directs\n                agencies to assume that all major systems contain some sensitive information\n                that needs to be protected but to focus extra security controls on a limited\n                number of particularly high-risk or major applications. According to the NIST\n                Handbook, \xe2\x80\x9cSecurity levels, costs, measures, practices, and procedures should\n                be appropriate and proportionate to the value of and degree of reliance on the\n                information systems and to the severity, probability, and extent of potential\n                harm.\xe2\x80\x9d Further, the determinations should flow directly from the results of risk\n                assessments that identify threats, vulnerabilities, and the potential negative\n                effects that could result from disclosing confidential data or failing to protect\n                the integrity of data supporting critical transactions or decisions. Accordingly,\n                Program policy requires that users be given access only to the resources needed\n                to perform their assigned duties.\n\nCause:          Program management had not identified the resources that needed significant\n                protection. Further, Program management did not require application owners\n                who are responsible for approving user access levels to the applications to\n                classify their resources based on the level of sensitivity of the information\n                contained in their applications.\n   .\nEffect:         As a result, there was an increased risk that resources were not adequately\n                protected from unauthorized access and disclosure and therefore were subject\n                to either accidental or intentional changes to computer operations and data.\n\n\n\xe2\x80\x98Office of Management and Budget Circular A-130, Appendix III, identifies a \xe2\x80\x9cmajor application\xe2\x80\x9d as an\n\xe2\x80\x9capplication that requires special attention to security due to the risk and magnitude of harm resulting from the\nloss, misuse, or unauthorized access to or modification of the information in the application.\xe2\x80\x9d The Appendix\nfurther states that \xe2\x80\x9ccertain applications, because of the information in them, however, require special\nmanagement oversight and should be treated as major.\xe2\x80\x9d\n\n                                                       19\n\x0c                                                                                APPENDIX 1\n                                                                                Page 12 of 33\n\nACCESS CONTROLS\n\n             Conversely, the level of protection provided for low-risk resources may be in\n             excess of that required. Furthermore, Program management did not have a\n             reliable basis for making critical decisions regarding security safeguards for its\n             sensitive applications.\n\nRecommendations:\n\nWe recommend that the Director, Minerals Management Service:\n\n    1. Ensure that individual computer resources are classified based on the level of\nsensitivity associated with each resource.\n\n    2. Evaluate controls over resources to ensure that the access controls have been\nimplemented commensurate with the level of risk and sensitivity associated with each\nresource.\n\nMinerals Management           Service Response and Office of Inspector General\nReply\n\nBased on the Service\xe2\x80\x99s response, we request that the Service reconsider its response to\nRecommendations 1 and 2, which are unresolved (see Appendix 3).\n\nRecommendation      1. Nonconcurrence.\n\n    Service Response. The Service said that it believed that its \xe2\x80\x9ccurrent classifications are\nappropriate.\xe2\x80\x9d The Service further stated that its mainframe systems \xe2\x80\x9creceive heightened\nsecurity because they are more mission critical, not because they are more sensitive\xe2\x80\x9d and that\nthese systems \xe2\x80\x9cmust be protected more strenuously to ensure the integrity of the official\nrecords.\xe2\x80\x9d The Service also stated: \xe2\x80\x9cA more moderate level of protection is necessary for\nproprietary information than for mission critical information. The umbrella protection\nmechanism for all types of proprietary information is physical controls coupled with\nemployee training.\xe2\x80\x9d\n\n    Office of Inspector General Reply.            We disagree that the Service\xe2\x80\x99s current\nclassifications are appropriate. In its response to Recommendation M.1, the Service\nindicated that the Program had not identified all \xe2\x80\x9cmission critical\xe2\x80\x9d systems. Further, in our\nopinion, mission critical systems resided on personal computers and local area networks that\nsupported the Program\xe2\x80\x99s mission to accurately and timely disburse rents, bonuses, and\nroyalty revenues to the U.S. Treasury, the states, and the Indian tribes, as well as financial\ntransactions and external reporting. Additionally, the Service stated that the umbrella\nprotection over its proprietary data, which do not reside on the mainframe computer, is\n\n                                             20\n\x0c                                                                                   APPENDIX 1\n                                                                                   Page 13 of 33\n\nACCESS CONTROLS\n\nlimited to \xe2\x80\x9cphysical controls\xe2\x80\x9d and \xe2\x80\x9cemployee training.\xe2\x80\x9d However, these controls do not\nmeet the minimum controls required for Federal automated information resources. The\npurpose of resource classification is to provide a basis for determining the controls necessary\nto ensure appropriate implementation of risk-based management, as required by Office of\nManagement and Budget Circular A-l 30, Appendix III.\n\nRecommendation 2. Nonconcurrence.\n\n     Service Response. The Service said that it believes that its \xe2\x80\x9cexisting access controls over\nresources already meet the intent of this recommendation.\xe2\x80\x9d The Service further stated that\nall of its employees \xe2\x80\x9care granted access to view royalty, production, and reference data.\nSince most of this data is proprietary, employees are trained in its proper use and must sign\nstatements acknowledging their responsibility to protect it. State and Tribal employees have\naccess to such data within their jurisdictions only. The ability to add or change data is\nlimited to those employees who require that access to perform their jobs.\xe2\x80\x9d\n\n    Office of Inspector General Reply. We disagree that the Service\xe2\x80\x99s existing access\ncontrols meet the intent of the recommendation. By its response, we inferred that the Service\nhad not complied with the personnel control of \xe2\x80\x9cleast privilege\xe2\x80\x9d required by Appendix III of\nCircular A-130 and the \xe2\x80\x9cRMP Automated Information Systems Security Manual.\xe2\x80\x9d The\nCircular defines least privilege as \xe2\x80\x9cthe practice of restricting a user\xe2\x80\x99s access (to data files, to\nprocessing capability, or to peripherals) or type of access (read [which means to view], write,\nexecute, delete) to the minimum necessary to perform\xe2\x80\x9d an employee\xe2\x80\x99s job. Further, the\nProgram\xe2\x80\x99s Manual states, \xe2\x80\x9c[Plrivileges granted to users are only those privileges that are\nabsolutely necessary for job performance.\xe2\x80\x9d In addition, Appendix III of Circular A- 130 and\nthe Departmental Manual (375 DM 19) state that the \xe2\x80\x9cgreatest threat\xe2\x80\x9d to most computer\nsystems comes from authorized users. However, as stated by the Service, \xe2\x80\x9cAll [Service]\nemployees are granted access to view royalty, production, and reference data.\xe2\x80\x9d Therefore,\nwe believe that allowing all Service employees to have access to view Program data indicates\nthat access controls were not implemented commensurate with the level of risk and\nsensitivity of each resource. Further, as cited in Findings E, F, and G in this report, controls\nover access were inadequate; therefore, we believe that the Service\xe2\x80\x99s current access controls\nover resources do not meet the intent of the recommendation.\n\n\n\n\n                                                21\n\x0c                                                                                          APPENDIX 1\n                                                                                          Page 14 of 33\n\nACCESS CONTROLS\n\nE. Default Settings Provided With Commercial                          Off-the-Shelf       Software\n\nCondition:     Default settings provided with commercial off-the-shelf software were not\n               removed after the software was installed and implemented. For example, we\n               found that the default user identification (ID) and associated default password\n               had not been removed when Program management upgraded to the latest\n               version of the Integrated Data Management System (IDMS).2 The default user\n               ID provides users with administrative privileges to establish and remove users\n               and to access all mainframe computer resources.\n\nCriteria:      The \xe2\x80\x9cRMP Automated Information Systems Security Manual\xe2\x80\x9d requires that\n               default user IDS and passwords be removed once commercial off-the-shelf\n               software is implemented.\n\nCause:         Rather than deleting the default user ID and password, Program management\n               relied on the mainframe security software to protect against unauthorized\n               access.\n\nEffect:        As a result, there was an increased risk that the automated information system\n               could be accessed by unauthorized users.\n\nRecommendation:\n\nWe recommend that the Director, Minerals Management Service, implement controls to\nenforce Program policy that default user IDS and passwords are to be removed from the\nautomated information system when commercial off-the-shelf software is implemented.\n\nMinerals Management               Service Response and Office of Inspector General\nReply\n\nIn its response, the Service indicated agreement with the recommendation. However, the\nService needs to provide additional information for the recommendation (see Appendix 3).\n\nAdditional      Comments on Finding\n\nEven though the Service agreed with this recommendation, it stated that our conclusion was\nincorrect that \xe2\x80\x9cthe use of this default ID allows access to all mainfmme computer resources\xe2\x80\x9d\nbecause \xe2\x80\x9cthe security architecture prevented\xe2\x80\x9d the misuse of resources. The security\n\n21ntegrated Data Management System (RIMS) is a licensed product of Computer Associates International, Inc.,\nwhich manages database applications that reside on mainframe computers.\n\n                                                    22\n\x0c                                                                               APPENDIX 1\n                                                                               Page 15 of33\n\nACCESS CONTROLS\n\narchitecture requires that a user who wants to access the mainlkme have a \xe2\x80\x9cvalid RACF\nlogon password\xe2\x80\x9d and a \xe2\x80\x9cuser ID defined to the data dictionary.\xe2\x80\x9d We disagree that the security\narchitecture prevented the misuse of resources. Vendor documentation states that the default\nID can be used to establish a user in the dictionary and perform all activities cited in this\nfinding. In addition, we found that at least two applications did not rely on the Program\xe2\x80\x99s\n\xe2\x80\x9csecurity architecture.\xe2\x80\x9d\n\n\n\n\n                                            23\n\x0c                                                                                          APPENDIX 1\n                                                                                          Page 16 of 33\n\nACCESS CONTROLS\n\nF. Commercial         Off-the-Shelf        Software Access Controls\n\nCondition:     Commercial off-the-shelf software access controls were not implemented to\n               safeguard against unauthorized access to the mainframe computer, personal\n               computers, and servers. Specifically, we found that:\n\n                      - Resource Access Control Facility (RACF)3 provides the capability to\n               set rules for passwords in which the installation can require the use of specific\n               characters (a mix of letters and numbers) within the passwords, but this feature\n               was not used.\n\n                    - A default security setting was found on a server file that allows\n               passwords to be unencrypted.\n\n                      - The \xe2\x80\x9cSECURE CONSOLE\xe2\x80\x9d command was not found on a server file\n               which removes the Disk Operating System (DOS) from the server memory.\n               The removal of DOS from the server memory prevents an individual from\n               inserting a diskette into the server drive and loading unauthorized software that\n               could perform such functions as change passwords, establish trustee rights,\n               create users, and assign security levels. Also, the \xe2\x80\x9cSECURE CONSOLE\xe2\x80\x9d\n               command disables the users\xe2\x80\x99 ability to change the server date and time, thus\n               allowing users to bypass access restrictions.\n\nCriteria:      Office of Management and Budget Circular A-l 30, Appendix III, requires\n               agencies to establish controls to ensure adequate security for all information\n               processed, transmitted, or stored in Federal automated information systems.\n               Also, the Department\xe2\x80\x99s \xe2\x80\x9cAutomated Information Systems Security Handbook\xe2\x80\x9d\n               states that proprietary, personnel, sensitive, and mission-critical information\n               should be protected from unauthorized disclosure. In addition, the Program\xe2\x80\x99s\n               Automated Information Systems Security Manual states that a mix of letters\n               and numbers is recommended for passwords used to access the Program\xe2\x80\x99s\n               automated information system.\n\nCause:         The Program\xe2\x80\x99s policy recommended rather than required the use of a mix of\n               both letters and numbers in passwords to access its automated information\n\n\n\xe2\x80\x98Resource Access Control Facility (RACY) is an IBM-licensed software security product that protects\ninformation by controlling access to the information. RACF provides security by identifying and verifying\nusers to the system, authorizing users\xe2\x80\x99 access to protected resources, and recording and reporting access\nattempts. (Resource Access Control Facility General Users Guide. Version 1. RelW          9th edition, IBM\nCorp., 1993, page l-l.)\n\n                                                   24\n\x0c                                                                              APPENDIX 1\n                                                                              Page 17 of 33\n\nACCESS CONTROLS\n\n             system. In addition, there was no centralized security administration for the\n             local area networks and personal computers that contain proprietary and\n             financial data, and no Program procedures were in place to ensure that controls\n             were adequate to safeguard these local area networks and personal computers.\n\nEffect:      As a result, there was an increased risk that unauthorized access could be\n             gained to the automated information system, which could result in the loss of\n             data and in unauthorized individuals gaining access to sensitive data files.\n\nRecommendations:\n\nWe recommend that the Director, Minerals Management Service:\n\n     1. Evaluate the current Program policy which only recommends that passwords contain\na mix of letters and numbers for all automated information system components. Implement,\nif the Program determines that a mix of letters and numbers should be required, the security\nsoftware option within RACF that would enforce this requirement.              If the Program\ndetermines that a mix of letters and numbers is not required, the risk should be addressed in\nthe risk assessment.\n\n    2. Develop and implement centralized security administration for the local area\nnetworks used by the Program\xe2\x80\x99s divisions that contain proprietary and financial data.\n\nMinerals Management          Service Response and Office of Inspector General\nReply\n\nIn its response, the Service indicated agreement with both recommendations. However, the\nService needs to provide additional information for Recommendations 1 and 2 (see Appendix\n3).\n\n\n\n\n                                             25\n\x0c                                                                               APPENDIX 1\n                                                                               Page 18 of 33\n\nACCESS CONTROLS\n\nG. Access Levels Granted\n\nCondition:   We found that controls were not adequate to ensure that access levels granted\n             to users of the Program\xe2\x80\x99s automated information system were appropriate.\n             Specifically, access managers had not approved all automated information\n             system access granted to users of the access managers\xe2\x80\x99 applications and had not\n             performed periodic reviews to determine who the users were and whether the\n             levels of access granted in the automated information system were the access\n             levels approved.\n\nCriteria:    The \xe2\x80\x9cRMP Automated Information Systems Security Manual\xe2\x80\x9d states that\n             supervisors and managers are responsible for ensuring that employees\xe2\x80\x99 ADP\n             access certifications are appropriate for the job they will perform before users\n             are set up to access the automated information system. Also, the \xe2\x80\x9cGenerally\n             Accepted Principles and Practices for Securing Information Technology\n             Systems,\xe2\x80\x9d issued by the National Institute of Standards and Technology, states:\n             \xe2\x80\x9cIt is necessary to periodically review user account management on a system.\n             Reviews should examine the levels of access each individual has, conformity\n             with the concept of least privilege, whether all accounts are still active, [and]\n             whether management authorizations are up-to-date.\xe2\x80\x9d\n\nCause:       Program management had not ensured that its policies were implemented\n             effectively because access managers were not included in the process of\n             approving access to the automated information system. Additionally, the\n             Program\xe2\x80\x99s policies and procedures did not require that access managers\n             perform periodic reviews of users\xe2\x80\x99 levels of access to application files and\n             system records. In addition, Program management could not efficiently,\n             through automated means, perform reconciliations of authorization forms and\n             access levels granted in the automated information system because the audit\n             tools available for the automated information system had not been acquired.\n             Although automated capabilities were not acquired, Program management\n             could ensure that user access levels were appropriate to the work performed\n             through a recertification process whereby users resubmit the ADP access\n             certifications annually.\n\nEffect:      As a result, there was an increased risk that unauthorized access, data\n             manipulation, or disclosure of proprietary information may occur. In addition,\n             a periodic review of access files may limit the damage resulting from accidents,\n             errors, or unauthorized use of automated information system resources and\n             increase assurance that access levels were revised when users were reassigned\n             or promoted or they terminated their employment. Additionally, since periodic\n\n                                             26\n\x0c                                                                                 APPENDIX 1\n                                                                                 Page 19 of 33\n\nACCESS CONTROLS\n\n             reviews were not performed, there was an increased risk that unauthorized\n             access would not be detected or detected timely.\n\nRecommendations:\n\nWe recommend that the Director, Minerals Management Service:\n\n    1. Implement controls to ensure that access managers approve all access to their\napplications in accordance with Program policy.\n\n     2. Document procedures which require that users\xe2\x80\x99 access levels be reviewed periodically\nor that employees be recertified to ensure that the levels of access granted are appropriate for\nthe duties assigned to the users.\n\nMinerals Management           Service Response and Office of Inspector General\nReply\n\nBased on the Service\xe2\x80\x99s response, we request that the Service reconsider its responses to\nRecommendations 1 and 2, which are unresolved (see Appendix 3).\n\nRecommendation      1. Nonconcurrence.\n\n    Service Response. The Service stated that it believes that \xe2\x80\x9ceffective controls have been\nin place to assure that application managers approve all access to their applications.\xe2\x80\x9d It\nfurther stated that it \xe2\x80\x9cacknowledge[d] that our filing system for such approvals needed\nimprovement and are in the process of resolving this problem.\xe2\x80\x9d\n\n     Offke of Inspector General Reply. We disagree that effective controls were in place\nwhich ensured that application managers approved all access to their applications. We found\nthat the Program did not enforce its policy which required application managers to approve\nall access granted to users of their applications. We performed a statistical test of users who\nhad access to Program applications and production data and found that over 10 percent of\nthose users tested did not have their access approved by the application manager or the\nInstallation Security Officer. We discussed access approvals with application managers and\nfound that these managers were unaware of how many of the users had access to the\nmanagers\xe2\x80\x99 applications. Therefore, the problem was not attributable to the \xe2\x80\x9cfiling system\xe2\x80\x9d\nbut to the lack of enforcement of Program policy.\n\n\n\n\n                                              27\n\x0c                                                                                APPENDIX 1\n                                                                                Page 20 of 33\n\nACCESS CONTROLS\n\nRecommendation 2. Concurrence.\n\n     Service Response. The Service stated that it \xe2\x80\x9cconcur[red] with the need to document\nthese procedures\xe2\x80\x9d but \xe2\x80\x9cdisagree[d] with the OIG\xe2\x80\x99s [Office of Inspector General] implication\n(in its statement of effect) of any significant risk of security breaches.\xe2\x80\x9d The Service further\nstated: \xe2\x80\x9cAccess to mission-critical systems has been carefully managed and controlled\nthrough documented security procedures and controls, including mainframe access matrices\nand annual reviews by the Security Manager. Our own tests confiied that no unauthorized\naccess exists or has existed.\xe2\x80\x9d\n\n     Office of Inspector General Reply. The Service agreed that procedures should be\ndocumented but stated that it had procedures and controls in place for mission-critical\nsystems. However, we disagree that adequate procedures and controls were in place because\nthe Program\xe2\x80\x99s procedures did not address periodic reviews of users\xe2\x80\x99 access levels. The\nService disagreed that any significant risk of security breaches would occur because mission\ncritical systems are \xe2\x80\x9ccarefully managed and controlled\xe2\x80\x9d through \xe2\x80\x9cdocumented security\nprocedures and controls.\xe2\x80\x9d Since the Service stated in its response to Recommendation M. 1\nthat it had not identified all mission critical systems, it is unclear how the Service managed\nand controlled its mission critical systems. Regarding the annual review, under the current\nversion of the security software, a review of user access levels within the system could not\nbe performed. Therefore, the Program\xe2\x80\x99s procedures did not ensure that all users\xe2\x80\x99 access\nlevels were reviewed periodically and that the levels of access granted were appropriate for\nthe duties assigned to the users, thus ensuring implementation of \xe2\x80\x9cleast privilege.\xe2\x80\x9d Further,\nthe use of the matrix identified users within a group and the group\xe2\x80\x99s levels of access, but it\ndid not identify access levels for each user. In addition, without familiarity with the\nmethodology employed in the Service\xe2\x80\x99s test, such as the sample selection and test\nperformance, we must rely on the tests performed using statistical sampling software and\ngenerally accepted Government auditing standards followed by the audit staff.\n\n\n\n\n                                              28\n\x0c                                                                              APPENDIX 1\n                                                                              Page 21 of 33\n\nACCESS CONTROLS\n\nH. Number of Log-in Attempts\n\nCondition:   The Program\xe2\x80\x99s number of unsuccessful log-in attempts to access its automated\n             information system exceeded the standard established by the Department.\n             Specifically, in 1992, Program management increased the number of\n             unsuccessful log-in attempts from three to five before a user\xe2\x80\x99s ID and password\n             were revoked.\n\nCriteria:    The Department\xe2\x80\x99s \xe2\x80\x9cAutomated Information Systems Security Handbook\xe2\x80\x9d states\n             that the number of unsuccessful log-in attempts should be three.\n\nCause:       Program management did not follow the Departmental standard because, they\n             stated, it was difficult for some state and tribal organizations, which are\n             external customers, to access the mainframe computer through telephone lines.\n\nEffect:      As a result, the increased number of invalid attempts reduced the effectiveness\n             of the password as an access control. Thus, there was an increased risk of\n             unauthorized access to sensitive information.\n\nRecommendation:\n\nWe recommend that the Director, Minerals Management Service, evaluate the need to\ndeviate from the Departmental standard for the number of unsuccessful log-in attempts. If\nthe Program determines that this number should remain at five, Program management\nshould request, from the Department, a waiver from the standard of three attempts.\n\nMinerals Management          Service Response and Office of Inspector General\nReply\n\nBased on the Service\xe2\x80\x99s response, we consider this recommendation              resolved and\nimplemented (see Appendix 3).\n\n\n\n\n                                            29\n\x0c                                                                               APPENDIX 1\n                                                                               Page 22 of 33\n\n\nSOFTWARE           DEVELOPMENT            AND CHANGE MANAGEMENT\n\nI. Client/Server    Application     Software Changes\n\nCondition:   Change management controls over client/server application software were not\n             adequate. Specifically, we found that there were no controls to ensure that: (1)\n             Program management authorized and approved software changes and (2)\n             the changes to the application software were adequately tested before the\n             changed software was moved into production.\n\nCriteria:    National Institute of Standards and Technology Special Publication 500-l 61,\n             \xe2\x80\x9cSoftware Configuration Management: An Overview,\xe2\x80\x9d states that software\n             configuration control management procedures should define the specific steps\n             taken to analyze and evaluate the change request, clarify tbe meaning of the\n             request, and resolve the problem described. In addition, the procedures should\n             identify the appropriate individuals or organization responsible for evaluating\n             the requests and discuss the submission of the evaluation results to the\n             appropriate review board or individuals for approval or disapproval. Federal\n             Information Processing Standards Publication 106, \xe2\x80\x9cGuideline on Software\n             Maintenance,\xe2\x80\x9d states that testing is a critical component of software\n             maintenance and that, as such, test procedures must be consistent and based on\n             sound principles. Further, the Publication states that tests should examine\n             whether the application software is \xe2\x80\x9cdoing what it is supposed to do.\xe2\x80\x9d\n\nCause:       Program management did not enforce procedures for authorizing, approving,\n             and testing client/server application software.\n\nEffect:      As a result, there was an increased risk that the most critical client/server\n             application software changes were not made and that applications would not\n             perform as intended.\n\nRecommendation:\n\nWe recommend that the Director, Minerals Management Service, enforce its procedures for\nauthorizing, approving, and testing client server application software before the software is\nmoved into production.\n\n\n\n\n                                             30\n\x0c                                                                             APPENDIX 1\n                                                                             Page 23 of 33\n\n\nSOFTWARE         DEVELOPMENT             AND CHANGE MANAGEMENT\n\nMinerals Management          Service Response and Offhe of Inspector General\nReply\n\nIn its response, the Service stated that the documented procedures \xe2\x80\x9care already in place.\xe2\x80\x9d\n\nAlthough the Service provided additional information in its response showing that\nclient/server software development and change management procedures had been in place\nsince 1995, the information, which we requested, was not provided during our audit. Based\non the subsequent information provided by the Service, we agree that the Service has\ndocumented procedures. However, we found that these procedures had not been enforced\nduring fiscal year 1997. Specifically, in our review of four client/server applications, we\nfound no evidence to support that software changes were authorized, approved, and tested.\nTherefore, we have revised this finding and recommendation and request that the Service\nrespond to the revised recommendation (see Appendix 3).\n\n\n\n\n                                            31\n\x0c                                                                                   APPENDIX 1\n                                                                                   Page 24 of 33\n\n\nSEPARATION          OF DUTIES\n\nJ. Duties Related to Client/Server           Applications\n\nCondition:   The duties related to client/server applications were not separated effectively.\n             Specifically, we found that:\n\n                   - Application programmers were authorized to access client/server\n             production data to perform \xe2\x80\x9congoing maintenance\xe2\x80\x9d on applications.\n\n                  - At least one application programmer acted as a backup to an end user,\n             which required the programmer to change production data in the Minerals\n             Management Service Appeals Tracking System.\n\n                   - The individual responsible for setting up users of the Royalty\n             Management Program Desktop applications was also the person designated to\n             review server security logs, which record the activities of the users of the\n             applications.\n\nCriteria:    Office of Management and Budget Circular A-130, Appendix III, requires that\n             security controls for personnel include least privilege and separation of duties.\n             The Circular states, \xe2\x80\x9cLeast privilege is a practice of restricting a user\xe2\x80\x99s access\n             (to data files, to processing capability, or to peripherals) or type of access (read,\n             write, execute, delete) to the minimum necessary to perform his or her job.\xe2\x80\x9d\n             Separation of duties is the practice of dividing the steps in a critical function\n             among different individuals. Also, the MST Handbook states, \xe2\x80\x9cSeparation of\n             duties refers to dividing roles and responsibilities so that a single individual\n             cannot subvert a critical process.\xe2\x80\x9d The \xe2\x80\x9cRMP Automated Information Systems\n             Security Manual\xe2\x80\x9d states, \xe2\x80\x9cAccess to sensitive data is limited to those persons\n             who use or process the data in performing their official duties.\xe2\x80\x9d\n\nCause:       Program management did not appropriately assign duties for application\n             programmers to ensure that critical processes were not subverted. Specifically,\n             programmers should not have access to production data because access to\n             production data should be restricted to users. Also, Program management had\n             not ensured that independent reviews of server security logs were performed\n             periodically.\n\nEffect:      As a result, there was an increased risk that accidental or intentional\n             unauthorized actions by programmers could threaten the integrity of the\n             Program\xe2\x80\x99s data and disrupt system processing. Furthermore, there was an\n\n\n                                              32\n\x0c                                                                             APPENDIX 1\n                                                                             Page 25 of 33\n\n\n\nSEPARATION          OF DUTIES\n\n             increased risk that inappropriate actions by the individuals who established\n             system users would not be detected or would not be detected timely.\n\nRecommendations:\n\nWe recommend that the Director, Minerals Management Service:\n\n    1. Implement controls to ensure that application programmers do not have access to the\nproduction client/server application data or the capability to update/change these data.\n\n    2. Improve detection controls by ensuring that management or the Installation Security\nOfficer reviews server security logs periodically.\n\nMinerals Management          Service Response and Offke of Inspector            General\nReply\n\nBased on the Service\xe2\x80\x99s response, we request that the Service provide additional information\nfor Recommendation 2 and that it reconsider its response to Recommendation 1, which is\nunresolved (see Appendix 3).\n\nRecommendation 1. Nonconcurrence.\n\n     Service Response. The Service stated: While application programmers do not\nroutinely require update access to any RMP [Royalty Management Program] production\ndata, there are instances when temporary access is needed by specific programmers under\ncontrolled circumstances.     To mitigate any future risks associated with this access,\nprocedures have been reinforced which detail actions to be taken when requesting temporary\naccess to mainframe and client/server production data.\xe2\x80\x9d The Service also \xe2\x80\x9crefute[d]\xe2\x80\x9d our\nstatement that application programmers serve as backups to end users.\n\n    Offke of Inspector General Reply. The Service indicated that procedures were in place\nto control the risk when application programmers had update access to Program data.\nHowever, we did not find such procedures; therefore, we could not test the procedures to\nensure that temporary access was provided to specific programmers under controlled\ncircumstances.   To resolve this recommendation, the Service is requested to provide\ndocumentation of the procedures the Program uses that mitigate risk when programmers are\nallowed update access to production data.\n\n\n\n\n                                            33\n\x0c                                                                             APPENDIX 1\n                                                                             Page 26 of 33\n\n\n\nSEPARATION          OF DUTIES\n\nRegarding application programmers serving as backups to end users, we found during our\naudit that a programmer analyst had been given access to a client/server application to\nchange the database, to make table updates, and to print reports. According to Program\npersonnel who were responsible for the application, this access was authorized so that the\nprogrammer could provide backup duties to a Program employee.\n\nRecommendation     2. Concurrence.\n\n    Service Response. The Service stated that the contractor was \xe2\x80\x9cbeing directed to address\nthe review of server security logs within their overall internal control procedures.\xe2\x80\x9d\n\n    Offke of Inspector General Reply. We accept the Service\xe2\x80\x99s alternative of having the\ncontractor review the logs rather than Program management or the Installation Security\nOfficer. However, regardless of who does the review, the procedures must ensure adequate\nseparation of duties between the key functions of the security log reviewer and the security\nadministrator.\n\n\n\n\n                                            34\n\x0c                                                                              APPENDIX 1\n                                                                              Page 27 of 33\n\nSYSTEM SOFTWARE               CONTROLS\n\nK. Security Software\n\nCondition:   The version of RACF, the commercial mainframe security software, that was\n             used by the Program was no longer supported by the vendor. Although the\n             upgraded version of R4CF had been purchased, it had not been implemented.\n\nCriteria:    Federal Information Processing Standards Publication 106, \xe2\x80\x9cGuideline on\n             Software Maintenance,\xe2\x80\x9d states that \xe2\x80\x9cthe goal of software maintenance\n             management is to keep systems functioning.\xe2\x80\x9d\n\nCause:       Program management had not implemented the upgraded version of RACF\n             because management was in the process of requesting a waiver from the\n             Department from consolidating its mainframe operations with another\n             mainframe operation, which has the upgraded RACF, as required by Office of\n             Management and Budget Bulletin 96-02, \xe2\x80\x9cConsolidation of Agency Data\n             Centers.\xe2\x80\x9d If the waiver is granted to the Program, the upgraded version of\n             RACF will need to be implemented immediateIy.\n\nEffect:      Using security software that was not supported by the vendor increased the risk\n             that security software would not be maintained and that programs and data files\n             would not be protected from unauthorized access.\n\nRecommendation:\n\nWe recommend that the Director, Minerals Management Service, ensure that the upgraded\nversion of ILACF is implemented immediately if the Program is granted a waiver from\nconsolidating its mainframe operations with another mainframe operation.\n\nMinerals Management         Service Response and Office of Inspector General\nReply\n\nIn its response, the Service stated that it believes that we \xe2\x80\x9cmisunderstood the effects of\ndelaying this software upgrade. Although this is a moot point now that MMS [Minerals\nManagement Service] has replaced its processor, the decision not to upgrade the RACF\nsoftware was well founded.\xe2\x80\x9d\n\nAlthough the Service indicated that it had replaced its processor, we were not provided\ninformation to determine whether the Service has ensured that the upgraded version of RACF\nor equivalent security software was implemented on the new processor. Therefore, we\n\n\n\n                                            35\n\x0c                                                                              APPENDIX 1\n                                                                              Page 28 of 33\n\nSYSTEM SOFTWARE                CONTROLS\n\nconsider this recommendation unresolved and request that the Service reconsider its response\nto the recommendation (see Appendix 3).\n\nAdditional    Comments       on Finding\n\nThe Service stated that the Program \xe2\x80\x9cinitially delayed the upgrade because it was considering\na processor replacement that would require an entire new suite of mainframe software\nproducts.\xe2\x80\x9d The Service further stated, \xe2\x80\x9cUpgrading RACF at that time would have been an\ninherently risky and potentially expensive decision.\xe2\x80\x9d Regarding these statements, we were\nnot provided any documentation .to support these statements that the decision to not\nimplement the upgraded version of RACF was based on the Service\xe2\x80\x99s plan to implement a\nnew processor or that the upgrade of RACF would be \xe2\x80\x9crisky and potentially expensive.\xe2\x80\x9d\n\n\n\n\n                                            36\n\x0c                                                                                         APPENDIX 1\n                                                                                         Page 29 of 33\n\nSYSTEM SOFTWARE                    CONTROLS\n\nL. Mainframe         Computer System Audit Tools\n\nCondition:     Program management did not use available system audit tools to ensure\n               integrity over system processing and data and to detect inappropriate actions by\n               authorized users. Specifically, we found that:\n\n                      - System integrity verification and audit software was not used, This\n               software could assist data center and installation security management in\n               identifying and controlling the mainframe computer operating system\xe2\x80\x99s security\n               exposures such as setting system options inappropriately, installing \xe2\x80\x9cback\n               doors\xe2\x80\x9d to the operating system, and introducing viruses and Trojan horses, that\n               can destroy production dependability and circumvent existing security\n               measures.\n\n                       - Computer operators and system programmers had the capability to\n               change the system initialization process and thus affect system processing.\n               Additionally, system options that produce a system audit trail were not\n               implemented. Therefore, an audit trail that logs the results of actions taken by\n               computer operators and system programmers in the SYSLOG during system\n               initialization could not be produced for periodic review.\n\n                      - Periodic reviews of System Management Facility (SMF) logs to identify\n               critical events affecting system processing were not performed.4 For example,\n               reviews were not performed of record type 7, which records when the system\n               audit trail is lost, and record type 90, which records events such as \xe2\x80\x9cSET\n               TIME,\xe2\x80\x9d \xe2\x80\x9cSET DATE,\xe2\x80\x9d and \xe2\x80\x9cSET SMF,\xe2\x80\x9d all of which affect system processing\n               and production of audit trails.\n\n                      - Periodic reviews of SMF logs to identify unauthorized changes to data\n               by authorized users were not performed. Even though one of the SMF record\n               types, record type 60, which logs all activity affecting Virtual Storage Access\n               Method data sets that contain lease and site security data, was activated during\n               our audit, the logs were not reviewed to detect inappropriate actions or unusual\n               activity by authorized users.\n\nCriteria:      Office of Management and Budget Circular A-130, Appendix III, requires\n               agencies to establish controls to ensure adequate security for all information\n               processed, transmitted, or stored in Federal automated information systems, In\n\nbe System Management Facility (SMF) logs record all system activity and serve as an audit trail of system\nactivity, including identification of users who performed the activity.\n\n                                                   37\n\x0c                                                                               APPENDIX 1\n                                                                               Page 30 of 33\n\nSYSTEM SOFTWARE               CONTROLS\n\n             addition, the Circular states that individual accountability is one of the\n             personnel controls required in a general support system. The Circular further\n             states that an example of one of the controls to ensure individual accountability\n             is reviewing or looking at patterns of users\xe2\x80\x99 behavior, which requires reviews\n             of the audit trails. The NIST Handbook states that audit trails are a technical\n             mechanism to achieve individual accountability.\n\nCause:       Program management did not acquire system integrity and verification\n             software, did not implement system options to record actions taken affecting\n             system initialization, did not encourage the use of available system audit trails\n             to detect and identify inappropriate actions affecting the system processing and\n             data integrity, and did not establish procedures requiring periodic reviews of\n             resultant logs because the logs were extensive and difficult to read. Further,\n             Program management had not considered converting the logs to a more useful\n             format to extract critical information. Instead, Program management relied on\n             its staff to make appropriate changes to the system initialization process and on\n             authorized users to make only appropriate changes.\n\nEffect:      As a result, inappropriate mainframe computer system initialization and\n             processing were not recorded and identified. Additionally, without periodic\n             reviews of the system audit trails, there was an increased risk that processing\n             problems or unauthorized activities would not be detected or would not be\n             detected timely and that the individual responsible would not be held\n             accountable for the inappropriate actions.\n\nRecommendations:\n\nWe recommend that the Director, Minerals Management Service:\n\n    1. Evaluate acquiring system verification and auditing software.\n\n     2. Implement the system options to record activities in the SYSLOG during the system\ninitialization process and develop and implement procedures to ensure that periodic reviews\nof the SYSLOG for unauthorized or inappropriate activities are performed and that\nunauthorized or inappropriate activities are reported to Program management.\n\n     3. Evaluate the available SMF record types and implement procedures to ensure that\ncritical SMF logs are reviewed periodically and that Program management addresses the\nproblems identified.\n\n\n\n\n                                             38\n\x0c                                                                               APPENDIX 1\n                                                                               Page 3 1 of 33\n\nSYSTEM SOFTWARE                CONTROLS\n\nMinerals Management           Service Response and Offke of Inspector General\nReply\n\nIn its response, the Service indicated agreement with Recommendations 2 and 3. However,\nthe Service needs to provide additional information for Recommendations 2 and 3 and needs\nto reconsider its response to Recommendation 1, which is unresolved (see Appendix 3).\n\nRecommendation 1. Nonconcurrence.\n\n    Service Response. The Service stated that the Program \xe2\x80\x9croutinely uses a number of\nsystem-assurance mechanisms such as control reports, system-assurance programs and user-\nreconciliation reports\xe2\x80\x9d but that it \xe2\x80\x9cremains alert to any technologic developments that would\nimprove system integrity and operations.\xe2\x80\x9d The Service further stated, \xe2\x80\x9cAS these packages\nbecome available, they will be examined for applicability to the RMP [Royalty Management\nProgram] computing environment.\xe2\x80\x9d\n\n     Office of Inspector General Reply. The mechanisms cited by the Service provide\ninformation related mainly to application processing system assurance. Although the Service\nsaid that it will evaluate the use of software packages to assist in providing assurance over\nsystem integrity and operations, the Service should state concurrence or nonconcurrence with\nthe recommendation to evaluate the acquisition of operating system-verification and auditing\nsoftware that would identify mainframe operating system security exposures.\n\n\n\n\n                                             39\n\x0c                                                                                APPENDIX 1\n                                                                                Page 32 of 33\n\n\n\nSERVICE CONTINUITY\n\nM. Disaster Recovery         Plans\n\nCondition:   Local area networks and personal computers used by the Program\xe2\x80\x99s divisions\n             that maintain proprietary and financial data were not included in the Program\xe2\x80\x99s\n             disaster recovery plans.\n\nCriteria:    Office of Management and Budget Circular A-130, Appendix III, states that\n             agencies should establish a contingency plan and periodically test the plan to\n             ensure that operations will continue in the event that automated systems fail.\n\nCause:       Program management did not ensure that all systems which maintain\n             proprietary and financial data were included in its disaster recovery plans.\n\nEffect:      If the disaster recovery plans are incomplete because all sensitive systems are\n             not included, personnel required to perform the disaster recovery procedures\n             may not be able to recover critical systems in the event of a disaster or a system\n             failure.\n\nRecommendation:\n\nWe recommend that the Director, Minerals Management             Service, update the disaster\nrecovery plans to include all mission-critical systems.\n\nMinerals Management          Service Response and Offke of Inspector General\nReply\n\nBased on the Service\xe2\x80\x99s response, we request that the Service provide additional information\nfor the recommendation (see Appendix 3).\n\nAdditional    Comments on Finding\n\nThe Service stated, \xe2\x80\x9cWe believe the disaster recovery plans we have in place for our\nmainframe and client servers provide coverage for virtually all of our mission-critical\napplications.\xe2\x80\x9d In our opinion, this statement implies that disaster recovery plans are not\nrequired for other components of the Program\xe2\x80\x99s automated information system, such as local\narea networks and personal computers used by the Program\xe2\x80\x99s divisions. The local area\nnetworks and personal computers used by the Program\xe2\x80\x99s divisions were the components of\nthe automated information system used to develop the Program\xe2\x80\x99s financial statements and\n\n\n                                             40\n\x0c                                                                               APPENDIX 1\n                                                                               Page 33 of 33\n\n\n\nSERVICE       CONTINUITY\n\nto report financial information to the U.S. Treasury and the Office of Management and\nBudget. Further, these components also support the Program\xe2\x80\x99s mission to accurately and\ntimely disburse rents, bonuses, and royalty revenues to the U.S. Treasury, the states, and the\nIndian tribes. Therefore, we believe that these components not only are \xe2\x80\x9cmission critical\xe2\x80\x9d\nto the Program but also are part of the Program\xe2\x80\x99s general support system. Offke of\nManagement and Budget Circular A-130, Appendix III, defines general support systems as\n\xe2\x80\x9can interconnected set of information resources under the same direct management control\nwhich shares common functionality.\xe2\x80\x9d Further, the Circular addresses the need for continuity\nof support for general support systems as well as major applications.\n\n\n\n\n                                             41\n\x0c                                                                             APPENDIX 2\n                                                                              Page 1 of 11\n\n                   United States Department of the Interior\n                               MINERALS MANAGEMENT SERVICE\n                                        Washington. DC 20240\n\n\n                                          JAN 16 1998\n\n\n\nMemorandum\n\nTo:           Assistant Inspector General for Audits\n\n\n\n\nFrom:          Cynthia Quartet-man\n        Rccr\\g Director, Minerals Management Service\n\nSubject:       Office of Inspector General Draft Audit Report A-IN-MMS-00 l-97, \xe2\x80\x9cGeneral\n               Controls Over the Automated Information System, Royalty Management\n               Program, Minerals Management Service\xe2\x80\x9d\n\nThank you for the opportunity to respond to this draft report on the general controls over our\nroyalty automated information system. Of the 24 Recommendations, we agree with 11, partially\nagree with 2, and disagree with 11. We\xe2\x80\x99re sending you our general comments on the audit\nfindings and specific ones on the recommendations. We\xe2\x80\x99ve also included nine Enclosures to our\nresponse as additional background material for your review.\n\nPlease contact Bettine Montgomery at (202) 208-3976 if you have any further questions.\n\n\n\n\nAttachments\n\n\n\n\n      [ENCLOSURES REFERRED TO IN THE MINERALS MANAGEMENT SERVICES\xe2\x80\x99\n      RESPONSE NOT INCLUDED BY THE OFFICE OF INSPECTOR GENERAL.]\n                                             42\n\x0c                                                                                APPENDIX 2\n                                                                                 Page2ofll\n\n             . ..\n  MINE~LSMANAGEMENTSERVICERESPONSET~DRAFTAUDITREP~RT\n   "GENERALCONTROLSOVERTHEAUTOMATEDINFORMATIONSYSTEM,\n  ROYALTYMANAGEMENTPROGRAM,MINERALSMANAGEMENTSERVICE"\n\nAudit Agency: Office of Inspector General (OIG)\n\nAudit Number: A-IN-MMS-00 l-97\n\n We appreciate the opportunity to comment on this draft report. MMS shares OIG\xe2\x80\x99s concern for\n security and controls and concurs with some of the findings and recommendations presented in\n the report. In fact, the Royalty Management Program (RMP) is actively implementing solutions\n to rectify some of the weaknesses pointed out by the OIG and to enhance system security. We\n concur with OIG\xe2\x80\x99s use of OMB Circular A- 130 as the principal criteria for evaluation; however,\nwe cannot agree with OIG\xe2\x80\x99s implicit conclusion that RMP systems do not comply with the\n Circular. It is important to recognize.these criteria are general, leaving considerable room for\njudgement and interpretation based on the individual facts and circumstances.\n\nWe indeed believe RMP systems are in substantial compliance with the spirit and intent of the\nOMB Circular and strenuously disagree with the overall conclusion of the report -- that general\ncontrols were inadequate. The OIG review identified some spot failures and procedural\nweaknesses, many of which we have agreed to change. However, in terms of materiality, the\nsum total of these weaknesses, in our opinion, is not significant enough to constitute an overall\nfinding of inadequate. Furthermore, the report does not actually deal with the overall or general\ncontrols. To do so would require an evaluation of redundant and compensating controls. Yet,\nthe OIG report stated \xe2\x80\x9cwe did not evaluate the effectiveness of manual control procedures that\nmay have operated as compensating controls for the automated information system general\ncontrols.\xe2\x80\x9d\n\nMMS would also point out that our recurring management control reviews have addressed such\nmanual controls and generally found they were working effectively or prompted corrective\nactions to resolve minor control deficiencies. While these reports, as well as the supporting\nworkpapers, were reviewed during this and prior OIG audits of our automated system, no adverse\nfindings in this regard were reported. Moreover, past OIG audits performed under the Chief\nFinancial Officers Act of 1990 have covered these controls, and each report concluded that our\nfinancial information was reliable.\n\nWe must dispute many of the OIG\xe2\x80\x99s facts, conclusions, and interpretations. System security is a\ncomplex network of redundant measures and policies which must strike an appropriate balance\nbetween risk and cost. Taken together, this network provides overall security for the key\noperating systems. No system is perfect, especially given the rapidly changing technological\nenvironment and the competing needs for funds. However, we believe OIG is holding RMP to\n\n\n                                                1\n\n\n\n\n                                               43\n\x0c                                                                                        APPENDIX 2\n                                                                                         Page3ofll\n\n                    . ..\n        an unattainable standard in concluding general controls were \xe2\x80\x9cnot adequate.\xe2\x80\x9d MMS has\n        established and continues to improve on a system of security controls that we believe should\n        instead be viewed as a positive example, or even a model within the government.\n\n        Finally, the OIG report does not demonstrate a single negative impact of its findings. The OIG\n        reported no incidents -- no loss or corruption of data and no thefi or unauthorized access. We\n        believe the absence of such incidents reflects favorably on our existing automated and manual\n        compensating controls. Our primary comments on the facts and conclusions are shown below by\n        topic. Additional comments on the facts and conclusions are included in our comments on the\n        recommendations.\n\nI       RISK ASSESSMENTS\n\n        MMS believes the risk assessment criteria were not appropriately applied. Circular A-130 states\n         \xe2\x80\x9cThe Appendix no longer requires the preparation offormal risk analyses \xe2\x80\x9d and that risk\n        assessments \xe2\x80\x9ccan be formal or informal, detailed or simplified, high or low level, quantitative\n         (computationally based) or qualitative (based on descriptions or rankings), or a combination of\n        these. No single method is best for all users and all environments. \xe2\x80\x9d Given the breadth of\n        judgement allowed on this matter, RMP\xe2\x80\x99s previous risk assessment documents and processes\n        were clearly in accordance with the guidelines. We must also disagree with OIG\xe2\x80\x99s findings that\n        MMS did not properly assess the risks regarding year 2000 program conversion, \xe2\x80\x9cunsupported\xe2\x80\x9d\n        system security software, and \xe2\x80\x9cgeopolitical\xe2\x80\x9d and \xe2\x80\x9cexternal directives\xe2\x80\x9d risks.\n\n        In 1996, RMP management anticipated the potential risks associated with the Year 2000\n        conversion and tasked its operations and maintenance contractor to conduct a detailed analysis of\n        major systems and develop a plan for modifying,and testing the programs. The resultant $1.6\n        million project was begun by the contractor in March 1997 and is on track for completion in\n        1998. (Enclosures 1,2, 3 and 4). In May 1997, RMP management also initiated a parallel\n        internal project to assess non-mainframe, stand-alone systems. Given the fact that OMB Circular\n        A-l 30 does not even require formal risk analyses; it would seem that such an explicit recognition\n        of this risk and timely action toward its elimination is as an accomplishment rather than a failure.\n\n        We also believe the OIG misunderstood the circumstances involving the \xe2\x80\x9cResource Access\n        Control Facility\xe2\x80\x9d (IUCF) mainframe security software. The system-security software was never\n        \xe2\x80\x9cunsupported\xe2\x80\x9d in the sense implied by OIG; this was a contractual matter that would have\n        required a paid service call rather than a supported call if a problem arose. Because RMP was\n    .                                                                                                 \xe2\x80\x99 \xe2\x80\x98.\n        planning to upgrade to a different operating system, we chose not to incur the expense of a\n        software upgrade at that time. RMP was never at any risk regarding this software.\n\n\n\n\n                                                         2\n\n\n\n\n                                                        44\n\x0c                                                                                APPENDIX 2\n                                                                                 Page4of 11\n\n\nWe glso take issue with OIG\xe2\x80\x99s opinion regarding our assessment of \xe2\x80\x9cgeopolitical\xe2\x80\x9d and \xe2\x80\x9cexternal\ndirectives\xe2\x80\x9d risks. In our view, OIG\xe2\x80\x99s opinion that RMP was at risk of employee sabotage\nbecause of low morale associated with potential program abolishment or downsizing is\noverstated. Since the program\xe2\x80\x99s inception in 1982, RMP employees have become accustomed to\nsuch proposals. While they may indeed weaken morale, we have learned external threats are\nmore likely to rally our employees than to foster mischief. While we consider the employee\nmorale issue to be important matter, RMP correctly assessed this risk as \xe2\x80\x9clow.\xe2\x80\x9d\n\nSOFTWAREANCHANGEMANAGEm\n\nRh4P disagrees with OIG\xe2\x80\x99s statement that \xe2\x80\x9cProgram management did not have procedures to\nensure that client/server application software changes were authorized, approved, and tested\nbefore being moved into production.\xe2\x80\x9d Such procedures have been in place since 1995 and are\npublished in an on-line help text format (Enclosure 5). The Client/Server Guidelines clearly\ndefine the steps/processes for testing to be included in the Implementation Plan (part of the\nVisualization Step) and the Unit, System, and User Testing required as part of the Operational\nPrototype (Development Step). These Guidelines include a separate Procedural Overview of\nTesting including an example test plan. While testing processes for client-server applications are\ndifferent from those for mainframe systems because of the emphasis on interactive prototyping\nand Graphical User Interface design, they are no less adequate.\n\nDEFAJJJ~TSETTINGS\n\nThe OIG found one instance where a default ID provided with off-the-shelf software was not\nremoved as required. However, it is factually incorrect to say that use of this default ID allows\naccess to all mainfiarne computer resources. The security architecture prevented any\nunauthorized or inappropriate user from using this ID because users must first be able to access\nthe system through a valid RACF logon password and have a user ID defined to the data\ndictionary. At no time were RMP resources at risk\n\nSECURITY SOFTW-\n\nThe OIG seems to have misunderstood the reasons for and the effects of RMP\xe2\x80\x99s decision not to\nupgrade RACF, the commercial mainframe security software. As noted above, RMP initially\ndelayed the upgrade because it was considering a processor replacement that would require an\nentire new suite of mainfkame software products. Upgrading RACF at that time.would have been\nan inherently risky and potentially expensive decision. Moreover, the current version of RACF\nhad been very stable. The only risk of running \xe2\x80\x9cunsupported\xe2\x80\x9d software is contractual; that is, in\nthe unlikely event of a R4CF failure, IBM would have to be called in for service on demand\nrather than as a fully supported maintenance call.\n\n\n                                                 3\n\n\n\n\n                                               45\n\x0c                                                                                APPENDIX 2\n                                                                                 Page5ofll\n\n\n\nDISASTERRECOVERY            PLANS\n\nThe OIG seems to have generalized two distinct concepts and used them interchangeably.\nSensitive or proprietary information is not synonymous with mission critical-systems and\ninformation. Although most MMS mission-critical information is sensitive, the reverse is not the\ncase. Most sensitive data is not mission critical.\n\nThe central repository for mission-critical information resides on the mainframe computer. This\nis where MMS\xe2\x80\x99s key systems reside--the heart of the MMS\xe2\x80\x99 operations--requiring a\ncomprehensive disaster recovery plan. Users know they can always go to this central repository\nfor the official and current data. This database is updated continuously, centrally managed, and\nroutinely backed up. Because most of this data is also business-sensitive, security controls are\nalso in place to prevent unauthorized disclosure.\n\nIn addition, large amounts of redundant data reside in paper and electronic format in and on\ndesks, file cabinets, and personal computers. This includes sensitive and financial data.\nHowever, because most of this data is redundant, it is not \xe2\x80\x9cmission critical.\xe2\x80\x9d Therefore, while it\nis important to prevent unauthorized disclosure of this information, disaster recovery plans are, in\nmost cases, not cost effective, feasible, or necessary.\n\nTherefore, OIG\xe2\x80\x99s conclusion that disaster recovery plans are needed for all Zocal area networks\nand personal computers that contain proprietary andfinancial data is erroneous. We believe\nthe disaster recovery plans we have in place for our mainframe and client servers provide\ncoverage for virtually all of our mission-critical applications. We are currently reviewing \xe2\x80\x9cstand\nalone\xe2\x80\x9d PC systems to determine if any are truly mission critical. If so, they will need to be\nbrought onto the network and managed accordingly.\n\nCOMMENTS       ON RECOMMENDATIONS\n\nA 1. Ensure that risk assessments are conducted in accordance with guidelines, which\nrecommend that risk assessments support the acceptance of risk and the selection of appropriate\ncontrols. Specifically, the assessments should address significant risks affecting systems,\nappropriately identify controls implemented to mitigate those risks, and formalize the acceptance\nof the residual risk.\n                                                                                                       \xe2\x80\x99.\nDISAGREE - whife \xe2\x80\x98MMS plans to enhance &d betier document our risk\xe2\x80\x99assessment piocess\ndue to the rapidly changing computing and communication environment, we believe our previous\nassessments were in accordance with guidelines.\n\n\n\n\n                                                 4\n\n\n\n\n                                               46\n\x0c                                                                                     APPENDIX2\n                                                                                      Page6ofll\n\n\n    A2. ~orm~l,l~~&sign and communicate responsibility to local area network administrators to\n    participate in risk assessments and ensure compliance with the Program\xe2\x80\x99s security policy.\n\n    DISAGREE - RMP policies define the LAN administrators\xe2\x80\x99 role in contingency planning and\n    security. (Enclosure 6).\n\n    A3. Determine the risks associated with local area network applications and personal computer\n    databases that contain proprietary and financial data and, based on the results of the risk\n    assessments, establish appropriate security policies and\xe2\x80\x99procedures.\n\n    AGREE - RMP will conduct a risk analysis on user written applications as well as data residing\n    on networks and personal computers to determine appropriate security and disaster recovery\n    procedures. An inventory of these applications and the business functions they support is\n    already being performed as part of RMP\xe2\x80\x99s Year 2000 project.\n\n    B 1. Evaluate Systems Management Division and contractor ADP positions to determine\n    position sensitivity in relation to risk and ADP factors. Also, assurance should be provided that\n    automated information system work is technically reviewed by persons whose position\n    sensitivity level is greater than the position sensitivity levels of the employees who are\n    performing the work.\n\n    PARTIALLY AGREE - We plan to reevaluate the position sensitivity level for the senior\n    personnel in charge of the contractor activity to determine if those position should be classified at\n    a higher level. In accordance with Departmental criteria, most ADP staff are designated\n    noncritical sensitive. We doubt it was the OIG\xe2\x80\x99s intention to imply that all work must be\n    reviewed by persons at a higher sensitivity level; however, this would be impossible in a multiple\n    level organization because there are only two sensitivity levels from which to choose, i.e.,\n    \xe2\x80\x9cnoncritical-sensitive\xe2\x80\x9d and \xe2\x80\x9ccritical-sensitive.\xe2\x80\x9d\n\n    B2. Establish controls to ensure that the contractor is fulfilling its contractual obligation of\n    submitting requests for background checks within the specified time frame and that contractor\n    employees who are in probationary status and awaiting security clearances are not performing\n    critical ADP work.\n\n    PARTIALLY AGREE - We agree controls are needed to assure the contractor timely submits\n    requests for background checks. The contractor has been directed and has begun to track and is\n* \xe2\x80\x99 accoiuitable for the status of its submission of thede r&quests. We alsd\xe2\x80\x99agiee that employees      l\n\n\n\n\n    awaiting clearances should be in probationary status; however, it would be unacceptably costly to\n    prohibit employees from performing critical ADP work. Except for positions which require\n    access to information dealing with national security, all Federal employees are hired and perform\n\n\n\n                                                     5\n\n\n\n\n                                                    47\n\x0c                                                                                APPENDIX 2\n                                                                                 Page7of 11\n\n            .   .a\n\n\n\nthe.full scope of their jobs while the appropriate investigation is conducted and a suitability\ndetermination is made. We believe a similar criterion is appropriate for our contractors. Most all\nsoftware development and system operation work could be considered critical. As a practical\nmatter, we could not delay replacing contractor employees in such work pending the completion\nof background checks. However, we are exploring alternatives with the contractor such as having\nthem perform a preliminary \xe2\x80\x9ccriminal and credit check\xe2\x80\x9d which is quick and inexpensive .\n\nB3. Establish controls to ensure that personnel or security files accurately reflect that\nbackground checks and periodic follow-up background checks are performed as required.\n\nDISAGREE - Controls are already in place to ensure that personnel or security files accurately\nreflect background checks. MMS\xe2\x80\x99s Office of Administration and Budget maintains\ndocumentation and a tracking system on all MMS employee and contractor security clearances\nand background checks. We also disagree with the OIG\xe2\x80\x99s statement that follow-up background\nchecks are required. MMS is in compliance with Departmental guidance (Enclosure 7) that\nfollowup checks are authorized only for national security positions and not for public trust\npositions.\n\nC 1. Establish controls to enforce Program policy that requires employees to sign security awareness\nstatements before their access to system resources is approved by the Installation Automated\nInformation System Security Officer.\n\nAGREE - While our own test sample has confirmed that our users have appropriate access to\nRMP systems, we concur that our filing system for access approvals needed improvement. All\nstatements are now consistently filed and reconciled by the ADP security officer.\n\nDl. Ensure that individual computer resources are classified based on the level of sensitivity\nassociated with each resource.\n\nDISAGREE - We believe our current classifications are appropriate. Most RMP data is sensitive\nor \xe2\x80\x9cproprietary\xe2\x80\x9d and must be protected from unauthorized disclosure. Our mainframe systems\nreceive heightened security because they are more mission critical, not because they are more\nsensitive. As explained in previous segments, these systems must be protected more strenuously\nto ensure the integrity of the official records.\n\nA more moderate level of protection is necessary for proprietary information than for mission\ncritical information. The uinbrella protection mechanism for all types of proprietary informat\xe2\x80\x99ion\nis physical controls coupled with employee training. RMP works in a secure environment and\ntrains employees to protect all forms of proprietary information such as paper copies, information\non their PC\xe2\x80\x99s, and floppy disks, in addition to information which resides on networks and\n\n\n\n\n                                                48\n\x0c                                                                                        APPENDIX 2\n                                                                                         Page8ofll\n\n\n        servkrs. W$il; it would be possible to install network security measures equivalent to the\n        mainframe measures, we believe the significant additional cost would not be justified. We\n        believe the protection level over all proprietary information is appropriate.\n\n        The OIG is technically correct in its statement that MMS had not officially designated any of its\n        systems as \xe2\x80\x9cmajor\xe2\x80\x9d. However, RMP has @eated its mission-critical mainframe applications as\n        major (as allowed by OMB Circular A-130) by providing extra security controls and disaster\n        recovery capabilities. Based on our interpretation of A- 130, the fact that these systems were not\n        officially designated as major systems in our annual security plan is incidental and not\n        substantive.\n\n        D2. Evaluate controls over resources to ensure that the access controls have been implemented\n        commensurate with the level of risk and sensitivity associated with each resource.\n\n        DISAGREE - We believe our existing access controls over resources already meet the intent of\n        this recommendation. All MMS employees are granted access to view royalty, production, and\n        reference data. Since most of this data is proprietary, employees are trained in its proper use and\n        must sign statements acknowledging their responsibility to protect it. State and Tribal employees\n        have access to such data within their jurisdictions only. The ability to add or change data is\n        limited to those employees who require that access to perform their jobs.\n\n        El. Implement controls to enforce Program policy that default user ID\xe2\x80\x99s and passwords are to be\n        removed from the automated information system when commercial off-the-shelf software is\n        implemented.\n\n        AGREE - The contractor has implemented a verification procedure to ensure this situation does\n        not recur.\n\n        F 1. Evaluate the current Program policy which only recommends that passwords contain a mix of\n        letters and numbers for all automated information system components. Implement, if the Program\n        determines that a mix of letters and numbers should be required, the security software option within\n        IUCF that would enforce this requirement. If the Program determines that a mix of letters and\n        numbers is not required, the risk should be addressed in the risk assessment.\n\nI       AGREE - RMP will assess this issue and document the decision.\n\n    .\n        F2. Develop and i\xe2\x80\x99mplement centralized security administration for the &al area netborks used          \xe2\x80\x9d\n        by the Program\xe2\x80\x99s divisions that contain proprietary and financial data.\n\n\n\n\n                                                         7\n\n\n\n\n                                                        49\n\x0c                                                                                       APPENDIX 2\n                                                                                        Page9of 11\n\n\n       AGl%EE - J+!e are in process of implementing centralized security administration for efficiency\n       purposes. Iiowever, we cannot support OIG\xe2\x80\x99s basis for this recommendation, i.e., that \xe2\x80\x9c. . . no\n       Program procedures were in place to ensure that controls were adequate to safeguard these local\n       area networks and personal computers\xe2\x80\x9d as evidenced by two allegedly inappropriate so&are\n       settings. As discussed below, we disagree the settings are inappropriate. RMP has had security\n       and recovery procedures in place for its LAN\xe2\x80\x99s since 1993, and the fileservers are secure.\n\n       F3. Change the \xe2\x80\x9cSET UNENCRYPTED PASSWORD\xe2\x80\x9d to \xe2\x80\x9cOFF\xe2\x80\x9d and include the \xe2\x80\x9cSECURE\n       CONSOLE\xe2\x80\x9d command in the AUTOEXEC.NCF file on all file servers to prevent users from gaining\n       unauthorized access to sensitive files.\n\n       DISAGREE - RMP was aware of the software settings issues suggested by the OIG and had\n       consciously decided to leave the settings as they are. In both cases, the judgements were based\n       on operational issues, taking risk into consideration. The limited security exposure was\n       mitigated by the physical controls. The servers in question are in a locked LAN room within a\n       controlled access building. Both of these decisions fall under the security judgement mandated\n       by the A-l 30 and the National Institute of Standards and Technology (NIST) handbook which\n       states that \xe2\x80\x9cThe costs and benefits of security should be carefully examined in both monetary and\n       non-monetary terms to ensure that the cost of controls does not exceed expected benefits\xe2\x80\x9d. It was\n       RMP\xe2\x80\x99s judgement that the real costs of setting these parameters in the way suggested by OIG\n       clearly exceeded their limited security benefits.\n\n       Gl . Implement controls to ensure that access managers approve all access to their applications in\n       accordance with Program policy.\n\n       DISAGREE - We believe effective controls have been in place to assure that application\n       managers approve all access to their applications (see Enclosure 7). We acknowledge that qur           .\n       filing system for such approvals needed improvement and are in the process of resolving this\n       problem.\n\n       G2. Document procedures which require that users\xe2\x80\x99 access levels be reviewed periodically or that\n       employees be re-certified to ensure that the levels of access granted are appropriate for the duties\n       assigned to the users.\n\n      AGREE - We concur with the need to document these procedures. However, we disagree with\n      the OIG\xe2\x80\x99s implication (in its statement of effect) of any significant risk-of security breaches.            .\n    \xe2\x80\x99 Ac\xe2\x80\x99&.ss to hission-critical systems has beeh carefUlly managed and controlled through\n      documented security procedures and controls, including mainframe access matrices and annual\n      reviews by the Security Manager. Our own tests confirmed that no unauthorized access exists or\n      has existed.\n\n\n\nI                                                       8\n\n\n\n\n                                                       50\n\x0c                                                                                    APPENDIX 2\n                                                                                    Page 10of 11\n\n                .   .a.\n\n\n\n    H 11.Evaluate the need to deviate from the Departmental standard for the number of unsuccessful\n    log-in attempts: If the Program determines that this number should remain at five, Program\n    management should request, from the Department, a waiver from the standard of three attempts.\n\n    AGREE - A DO1 waiver for RMP to extend the password attempts from three to five for the\n    RMP was granted on November 14,1997. (Enclosure 9)\n\n    Il. Document procedures for authorizing, approving, and testing client/server application software\n    before the software is moved into production.\n\n    DISAGREE - These documented procedures are already in place. (Enclosure 5)\n\n    Jl . Implement controls to ensure that application programmers do not have access to the production\n    client/server application data or the capability to update/change these data.\n\n    DISAGREE - While application programmers do not routinely require update access to any RMP\n    production data, there are instances when temporary access is needed by specific programmers\n    under controlled circumstances. To mitigate any future risks associated with this access,\n    procedures have been reinforced which detail actions to be taken when requesting temporary\n    access to mainframe and client/server production data. We also refute OIG\xe2\x80\x99s statement that\n    application programmers serve as \xe2\x80\x9cbackup\xe2\x80\x9d to end-users. This does not occur.\n\n    52. Improve detection controls by ensuring that management or the Installation Security Officer\n    reviews server security logs periodically.\n\n    AGREE - The contractor is being directed to address the review of server security logs within\n    their overall internal control procedures. (We do not believe MMS management or the\n    Installation Security Officer should carry out this procedure.)\n\n    Kl. Ensure that the upgraded version of RACF is implemented immediately if the Program is\n    granted waiver from consolidating its mainframe operations with another mainframe operation.\n\n    DISAGREE - As discussed under Risk Assessments (Page 2), we believe OIG misunderstoud the\n    effects of delaying this software upgrade. Although this is a moot point now that MMS has replaced\n    its processor, the decision not to upgrade the RACF software was well founded.\n.\n    L 1. Evaluate acquiring system-verification hd auditing s&i%are.\n\n    DISAGREE - RMP routinely uses a number of system-assurance mechanisms such as control\n    reports, system-assurance programs and user-reconciliation reports. Nonetheless, RMP remains\n\n\n\n                                                    9\n\n\n\n\n                                                   51\n\x0c                                                                                  APPENDIX 2\n                                                                                  Page 11 of 11\n\n\nalei to any, technologic developments that would improve system integrity and operations. As\nthese packages-become available, they will be examined for applicability to the RMP computing\nenvironment.\n\nL2. Implement the system options to record activities in the SYSLOG \xe2\x80\x98during the system\ninitialization process and develop and implement procedures to ensure that periodic reviews of the\nSYSLOG for unauthorized or inappropriate activities are performed and that unauthorized or\ninappropriate activities are reported to Program management.\n\nAGREE - System initialization activities as well as operator commands are already recorded in\nthe SYSLOG. Because we are uncertain of the payoff and cost effectiveness of the periodic\nreviews, we will conduct a pilot test. The SYSLOG will be reviewed following system\ninitialization for inappropriate and unauthorized activities that may have occurred during the test.\nBased on the results, we will assess the feasibility of fully implementing this routine.\n\nL3. Evaluate the available System Management Facility (SMF) record types and implement\nprocedures to ensure that critical SMF logs are reviewed periodically and that Program management\naddresses the problems identified.\n\nAGREE - We have evaluated record types and concluded that certain log record types may be\nworthwhile for periodic review. We will pilot test a monthly review of these record types.\nDepending on the volume of records and the payoff, RMP will continue, expand, or reconsider\nthis detection method. Program management will be notified when problems are identified.\n\nMl. Update the disaster recovery plans to include all mission-critical systems.\n\nAGREE - We plan to update the disaster recovery plans to include all mission-critical systems.\nHowever, we do not agree with the OIG\xe2\x80\x99s presumption that all systems containing proprietary or\nfinancial data are \xe2\x80\x9cmission critical.\xe2\x80\x9d Many PC-based systems contain copies of such data for\nanalysis, but these systems are not considered mission critical. MMS\xe2\x80\x99 ongoing Year 2000\nproject is identifying and classifying any stand-alone systems that managers.judge to be \xe2\x80\x9cmission\ncritical.\xe2\x80\x9d If so, these systems w-ill be reclassified as such and will be required to reside on LAN\xe2\x80\x99s\nor servers that can be centrally backed up for recovery purposes.\n\n\n\n\n                                                 10\n\n\n\n\n                                                 52\n\x0c                                                                          APPENDIX 3\n                                                                            Page 1 of 3\n\n\n          STATUS OF AUDIT REPORT RECOiWMENDATIONS\n\nFinding/Recommendation\n        Reference                   Status                    Action Required\n\n            A.1            Unresolved.              Reconsider the recommendation\n                                                    to clarify that the enhanced risk\n                                                    assessment process will include\n                                                    the identification of significant\n                                                    risks affecting systems, will\n                                                    appropriately identify controls\n                                                    implemented to mitigate those\n                                                    risks, and will formalize the\n                                                    acceptance of residual risk. Also,\n                                                    an action plan that includes target\n                                                    dates and titles of officials\n                                                    responsible for implementation\n                                                    should be provided.\n\n            A.2            Unresolved.              Reconsider the response to ensure\n                                                    that local area network\n                                                    administrators participate in the\n                                                    risk assessment process, and\n                                                    provide an action plan that\n                                                    includes target dates and titles of\n                                                    officials responsible for\n                                                    implementation.\n\nA.3, F.l, F.2, L.2, L-3,   Management concurs;      Provide an action plan that\nand M.l                    additional information   includes titles of officials\n                           needed.                  responsible for implementation.\n\nB.l, B.2, E.l, and 5.2     Management concurs;      Provide an action plan that\n                           additional information   includes target dates and titles of\n                           needed.                  officials responsible for\n                                                    implementation.\n\n\n\n\n                                             53\n\x0c                                                                             APPENDIX 3\n                                                                               Page 2 of 3\n\n\n                                              .\n\nFinding/Recommendation\n       - Reference                     status                   Action Required\n\nB.3,D.l,D.2,         and L.l   Unresolved.             Reconsider the recommendations,\n                                                       and provide action plans that\n                                                       include target dates and titles of\n                                                       officials responsible for\n                                                       implementation.\n\n               c.1             Unresdlved.             Provide information relating to\n                                                       how the reconciliation of the\n                                                       statements was performed and the\n                                                       dates the actions were completed.\n\n               G.l             Unresolved.             Reconsider the recommendation,\n                                                       and provide information regarding\n                                                       controls which ensure that all\n                                                       access managers approve all\n                                                       access to their applications. Also,\n                                                       an action plan that includes target\n                                                       dates and titles of offkials\n                                                       responsible for implementation\n                                                       should be provided.\n\n               G.2             Unresolved.             Reconsider the recommendation,\n                                                       and provide information regarding\n                                                       documentation of procedures\n                                                       requiring users\xe2\x80\x99 access level\n                                                       reviews or recertification of users\xe2\x80\x99\n                                                       access be performed periodically.\n                                                       Alsp, an action plan @at includes\n                                                       target dates and titles of officials\n                                                       responsible for implementation\n                                                       should be provided.\n\n               H.l             Implemented.            No further action is required.\n\n\n\n\n                                                  54\n\x0c                                                                             APPENDIX 3\n                                                                               Page 3 of 3\n\n\n\n\n         Finding/Recommendation\n                 Reference                 status                Action Required\n\n                    I.1           Unresolved.            Respond to the revised\n                                                         recommendation, and provide an\n                                                         action plan that includes target\n                                                         dates and titles of officials\n                                                         responsible for implementation.\n\n                    J.l           Unresolved.            Reconsider the recommendation,\n                                                         and provide the procedures that\n                                                         mitigate risks when application\n                                                         programmers are allowed update\n                                                         access to production data.\n\n\n                   K.1            Unresolved.            Reconsider the recommendation,\n                                                         and provide information on\n                                                         whether the upgraded version of\n                                                         the security software has been\n                                                         implemented on the new\n                                                         processor.\n\n\n\n\n:-   .\n\n\n\n\n                                                    55\n\x0c                 ILLEGAL OR WASTEFUL ACTMTIES\n                     SHOULD BE REPORTED TO\n               THE OFFICE OF INSPECTOR GENERAL BY:\n\n\nSending written documents     to:                             cauillg:\n\n\n                     Within the Continentzil\xe2\x80\x99united      States\n\nU.S. Department of the Interior                        Our 24-hour\nOffice of Inspector General                            Telephone HOTLINE\n1849 C Street, N.W.                                     l-800-424-5081 or\nMail Stop 5341                                         \xe2\x80\x98(202) 208-5300\nWashington, D.C. 20240\n\n\n                                                        TDD for hearing impaired\n                                                        (202) 208-2420 or\n                                                        l-800-354-0996\n\n\n                    Outside the Continental United States\n\n\n                                    Caribbean Repion\n\nU.S. Department of the Interior                        (703) 235-9221\nOffice of Inspector General\nEastern Division - Investigations\n1550 Wilson Boulevard\nSuite 410\nArlington, Virginia 22209\n\n\n                                North Pacific Redon\n\nU.S. Department of the Interior                        (700) 550-7428 or\nOffice of Inspector General                            COMM g-011-671-472-7279\nNorth Pacific Regioxi\n238 Archbishop F.C. Flores Street\nSuite 807, PDN Building\nAgana, Guam 96910\n\x0c        .:   Toll Free Numbers:\n        :     l-800-424-5081\n        :     TDD l-800-354-0996\n       :\n       :\n       :     FIS/Co&ercial    Numbers:\n       a       (202) 208-5300\n       :      TDD (202) 208-2420\n       .\n       :\n\n.\n      :\n      :\n       :\n              HOTLINE\n      :      1849 C Street, N.W.\n             Mail Stop 5341\n        i    Washington, D.C. 20240\n       a:\n       :\n      :.\n      :\n     :.\n      :\n    :*\n        *\n\x0c'